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Preface 



This volume contains the papers presented at the Seventh International Con- 
ference on Logic for Programming and Automated Reasoning (LPAR 2000) held 
on Reunion Island, France, 6-10 November 2000, followed by the Reunion Work- 
shop on Implementation of Logic. 

Sixty-five papers were submitted to LPAR 2000 of which twenty-six papers 
were accepted. Submissions by the program committee members were not al- 
lowed. There was a special category of experimental papers intended to describe 
implementations of systems, to report experiments with implemented systems, 
or to compare implemented systems. Each of the submissions was reviewed by at 
least three program committee members and an electronic program committee 
meeting was held via the Internet. 

In addition to the refereed papers, this volume contains full papers by two of 
the four invited speakers, Georg Gottlob and Michael Rusinowitch, along with 
an extended abstract of Bruno Courcelle’s invited lecture and an abstract of 
Erich Gradel’s invited lecture. 

We would like to thank the many people who have made LPAR 2000 possible. 
We are grateful to the following groups and individuals: the program and orga- 
nizing committees; the additional referees; the local arrangements chair Teodor 
Knapik; Pascal Manoury, who was in charge of accommodation; Konstantin Ko- 
rovin, who maintained the program committee Web page; and Bill McGune, who 
implemented the program committee management software. 
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Abstract. In this paper, we determine the complexity of propositional theory 
curbing. Theory Curbing is a nonmonotonic technique of common sense reason- 
ing that is based on model minimality but unlike circumscription treats disjunc- 
tion inclusively. In an earlier paper, theory curbing was shown to be feasible in 
PSPACE, but the precise complexity was left open. In the present paper we prove 
it to be PSPACE-complete. In particular, we show that both the model checking 
and the inferencing problem under curbed theories are PSPACE complete. We 
also study relevant cases where the complexity of theory curbing is located - just 
as for plain propositional circumscription - at the second level of the polynomial 
hierarchy and is thus presumably easier than PSPACE. 



1 Introduction 

Circumscription [15] is a well-known technique of nonmonotonic reasoning based on 
model-minimality. The (total) circumscription Circ{T) of a theory T, which is a finite 
set of sentences, consists of a formula whose set of models is equal to the set of all 
minimal models of T. For various variants of circumscription, see [14]. 

As noted by various authors [5,6,17,18,19,20], reasoning under minimal models 
runs into problems in connection with disjunctive information. The minimality principle 
of circumscription often enforces the exclusive interpretation of a disjunction a V 6 by 
adopting the models in which either a or 6 is true but not both. There are many situations 
in which an inclusive interpretation is desired and seems more natural (for examples, 
see Section 2). 

To redress this problem, and to be able to handle inclusive disjunctions of positive 
information properly, the method of theory curbing was introduced in [8]. This method 
is based on the notion of a good model of a theory. Roughly, a good model of a theory 
T is either a minimal model, or a model of T that constitutes a minimal upper bound 
of a set of good models of T. The sentence Curb{T) has as its model precisely the 
good models of T. When T is a first-order theory, Curb{T) is most naturally expressed 
as a third-order formula. However, in [8], it was shown that Curb{T) is expressible in 
second-order logic. 

Circumscription is usually not applied to all predicates of a theory, but only to the 
members of a list p of predicates, where the predicates from a list z disjoint with 
p, called the floating predicates, may be selected such that the predicates in p be- 
come as small as possible; the remaining predicates not occurring in p and z (called 
flxed predicates) are treated classically. In analogy to this, in [8], formulas of the form 
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Curb{T; p,z) are defined, where curbing is applied to the predicates in list p only, 
while those from list z (the floating predicates) are interpreted in the standard way. In 
the propositional case, the lists p and q of predicate symbols are lists of propositional 
variables (corresponding to zero-ary predicates). 

Since its introduction in [8], the curbing technique has been used and studied in a 
number of other papers. For instance, Scarcello, Leone, and Palopoli [21], provide a 
fixpoint semantics for propositional curbing and derive complexity results for curbing 
Krom theories, i.e., clausal theories where each clause contains at most two literals. 
Liberatore [11,12] bases a belief update operator on a restricted version of curbing. 
Note that curbing is a purely model-theoretic and thus syntax-independent method. In 
particular, for two logically equivalent theories T and T', it holds that Curb{T) is log- 
ically equivalent to Curb{T'). Curbing can be applied to arbitrary logical theories and 
not just to logic programs. In the context of disjunctive logic programming, various 
syntax-dependent methods of reasoning that do not treat disjunction exclusively were 
defined in [5,18,17,19,20,6]. 

In [8], the following two major reasoning problems under curbing where shown to 
be in PSPACE: 

Curb Model Checking: Given a propositional theory T, an interpretation M of T, and 
disjoint lists p and z of propositional variables, decide whether M is a good model 
of T w.r.t. p and z (i.e., decide whether M is a model of Curb{T ; p, z)). 

Curb Inference : Given a propositional theory T, disjoint lists p and z of propositional 
variables, and a propositional formula G, decide whether Curb{T ; p, z) \= G. 

The precise complexity of curbing, for both model checking and inferencing, was 
left open in [8]. Note that model checking for propositional circumscription is coNP 
complete [3] and inferencing under propositional circumscription is II 2 complete [7]. 
It was conjectured in [21,1 1] that curbing is of higher complexity than circumscription. 
This is intuitively supported by a result of Bodenstorfer [2] stating that in an explicitly 
given set of models, witnessing that some particular model is good may involve an 
exponential number of smaller good models (for a formal statement of this result, see 
Section 3). 

The main result of this paper answers the above questions. We prove that Curb 
Model Checking and Curb Inference are PSPACE-complete. Both problems remain 
PSPACE-hard even in case of total curbing, i.e., when curbing is applied to all propo- 
sitional variables, and thus the list z of floating propositional variables is empty and 
no propositional variables are fixed. The proof takes Bodenstorfer’s construction as a 
starting point and shows how to reduce the evaluation of quantified Boolean formulas 
to theory curbing. 

The PSPACE-completeness result strongly indicates that curbing is a much more 
powerful reasoning method than circumscription, and that it can not be reduced in poly- 
nomial time to circumscription. Thus, circumscriptive theorem provers can not be ef- 
ficiently used for curb reasoning. On the other hand, a curb theorem prover could be 
based on a QBF solver (see [10,4,16,1,9]). 

After proving our main result, we identify classes of theories for which the com- 
plexity of curbing is located at a lower complexity level. Specifically, we show that if a 
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theory T has the lub property, that is, every set of good models of T has a least (unique 
minimal) upper bound, then propositional Curb Model Checking is in S 2 , while Curb 
Inference is feasible in Note that relevant classes of theories have this property. For 
example, as shown by Scarcello, Leone, and Palopoli [21], Krom theories enjoy the lub 
property. More specifically, in [21] it is shown that the union of any pair of good models 
of a Krom theory is a good model, too. This is clearly a special case of the lub property; 
in in [21], this special property is used to show that Curb Model Checking for propo- 
sitional Krom theories is in S 2 ■ The lub property can be further generalized. We show 
that following less restrictive weak least upper bound property (weak lub property) also 
leads to complexity results at the second level of the polynomial hierarchy: T has the 
weak least upper bound (weak lub) property, if every non-minimal good model of (p is 
the lub of some collection A4 of good models of T. The lub and the weak lub property 
are of interest not only in the case of propositional circumscription, but also in case of 
predicate logic. We therefore discuss these properties in the general setting. 

The rest of this paper is organized as follows. In the next Section 2, we review some 
examples from [8] and give a formal definition of curbing. We then prove in Section 3 
the main result stating that propositional Curb Model Checking and Curb Inference 
are both PSPACE-complete. In Section 4 we discuss the lub property, and the final 
Section 5 the weak lub property. 

2 Review of Curbing 

In this section, we review the concept of “good model” and give a formal definition of 
curbing. The presentation follows very closely the exposition in [8]; the reader familiar 
with [8] may skip the rest of this section. 

2.1 Good Models 

Let us first describe two scenarios in which an inclusive interpretation of disjunction is 
desirable. Models are represented by their positive atoms. 

Example 1: Suppose there is a man in a room with a painting, which he hangs on 
the wall if he has a hammer and a nail. It is known that the man has a hammer or a 
nail or both. This scenario is represented by the theory Ti in Figure 1. The desired 
models are h, n, and hnp, which are encircled. Circumscribing Ti by minimizing all 
variables yields the two minimal models h and n (see Figure 1). Since p is false in the 
minimal models, circumscription tells us that the man does not hang the painting up. 
One might argue that the variable p should not be minimized but fixed when applying 
circumscription. However, starting with the model of Ti where h, n and p are all true 
and then circumscribing with respect to h and p while keeping p true, we obtain the 
models hp and np, which are not very intuitive. If we allow p to vary in minimizing h 
and n, the outcome is the same as for minimizing all variables. On the other hand, the 
model hnp seems plausible. This model corresponds to the inclusive interpretation of 
the disjunction hV n. □ 

Example 2: Suppose you have invited some friends to a party. You know for certain 
that one of Alice, Bob, and Chris will come, but you don’t know whether Doug will 
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Fig. 1. The hammer-nail-painting example 



come. You know in addition the following habits of your friends. If Alice and Bob go to 
a party, then Chris or Doug will also come; if Bob and Chris go, then Alice or Doug will 
go. Furthermore, if Alice and Chris go, then Bob will also go. This is represented by 
theory T 2 in Figure 2. Now what can you say about who will come to the party? Look 



ahcd 




T 2 — {aW bW c, 

{a Ab) —> {cV d), 
bed {b A c) —> {a V d), 

cd (a A c) ^ 6 } 



Fig. 2. The party example 



at the models of T 2 in Figure 2. Circumscription yields the minimal models a, 6, and c, 
which interpret the clause a V 6 V c exclusively in the sense that it is minimally satisfied. 
However, there are other plausible models. For example, abc. This model embodies an 
inclusive interpretation of a and b within o V 6 V c; it is also minimal in this respect. 
abd is another model of this property. Similarly, bed is a minimal model for an inclusive 
interpretation of b and c. The models ad, bd, and cd are not plausible, however, since a 
scenario in which Doug and only one of Alice, Bob or Chris are present does not seem 
well-supported. □ 

In the light of these examples, the question arises how circumscription can be ex- 
tended to work satisfactory. An important insight is that such an extension must take dis- 
junctions of positive events seriously and allow inclusive (hence non-minimal) models, 
even if such models contain positive information that is not contained in any minimal 
model. On the other hand, the fruitful principle of minimality should not be abandoned 
by adopting models that are intuitively not concise. The idea of curbing is based on 
the synthesis of both: adopt the minimal inclusive models. That is, adopt for minimal 
models Mi , M 2 any model M which includes both Mi and M 2 and is a minimal such 
model; in other words, M is a minimal upper bound {mub) for Mi and M 2 . 

To illustrate, in Example 1 hnp is a mub for h and n (notice that hn is not a model), 
and in Example 2 abc is a mub for a and c; abd is another one, so several mub’s can 
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exist. In order to capture general inclusive interpretations, mub’s of arbitrary collections 
Ml , M2, M3 , ... of minimal models are adopted. 

It appears that in general not all “good” models are obtainable as mub’s of collec- 
tions of minimal models. The good model abed in Example 2 shows this. It is, however, 
a mub of the good models a and bed (as well as of abe and abd). This suggests that 
not only mub’s of collections of minimal models, but mub’s of any collection of good 
models should also be good models. 

The curbing approach to extend circumscription for inclusive interpretation of dis- 
junctions is thus the following: adopt as good models the least set of models which 
contains all circumscriptive (i.e. minimal) models and which is closed under including 
mub’s. Notice that this approach yields in Examples 1 and 2 the sets of intuitively good 
models, which are encircled in Eigs. 1 and 2. 

2.2 Formal Definition of Cnrbing 

In this section we state the formal semantical definition of good models of a first-order 
sentence as dehned in [8]. 

As for circumscription, we need a language of higher-order logic (cf. [22]) over a 
set of predicate and function symbols, i.e. variables and constants of finite arity n > 0 
of suitable type. Recall that 0-ary predicate symbols are identified with propositional 
symbols. 

A sentence is a formula tp in which no variable occurs free; it is of order n -f 1 if 
the order of any quantified symbol occurring in it is < n [22] . We use set notation for 
predicate membership and inclusion. A theory T is a finite set of sentences. As usual, 
we identify a theory T with the sentence ipx which is the conjunction ip of all 

sentences in T. 

A structure M consists of a nonempty set |M| and an assignment I(M) of pred- 
icates, i.e. relations (resp. functions), of suitable type over |M| to the predicate (resp. 
function) constants. The object assigned to constant C, i.e. the extension of C in M, is 
denoted by IC] or simply C if this is clear from the context. Equality is interpreted 
as identity. A model for a sentence (p is any structure M such that p is true in M (in 
symbols, M \= p). denotes all models of p. 

Let p = Pi , . . . , p„ be a list of first-order predicate constants and z = zi, . . . , Zm ^ 
list of first-order predicate or function constants disjoint with p. For any structure M, 
let Mp- 2 , be the class of structures M' such that |M| = |M'|, and |C] = |C]^, for 

every constant C not occurring in p or z. The pre-order on is defined by 

Ml <^2 -^2 iff IPiImi — Ik1m2 all 1 < i < n. The pre-order <p;z is the union 
of all <^2 over all structures. We write etc. if z is empty; and <p are partial 
orders on resp. all structures. 

The circumscription of p in a hrst-order sentence (p(p, z) with z floating is the 
second-order sentence [ 1 3] 

p(p,z) A ^3p',z'(p(p',z') A (p' C p)) 

which will be denoted by Circ{p{p, z)) (p and z will be always presupposed). Here p', 
zl are lists of predicate and function variables matching p and z and p C p' stands for 
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(P^ ^ p) A (p' 7 ^ p), where (p' C p) is the conjunction of all (p' C p^), 1 < i < n. 
The following is a straightforward consequence of the definitions. 

Proposition 2.1. [13] M ^ Circ{ip{p,z)) iff M is <p-z-minimal among the models 
ofy^{p,z). 

We formally define the concept of a “good” model as follows. First dehne the prop- 
erty that a set of models is closed under minimal upper hounds. 

Definition 2.1. Let p{p, z) be a first-order sentence. A set M. of models of (p{p, z) is 
<p-z-closed iff, for every fA' C fA and any model M of ip{p,z), if M is <p-z-minimal 
among the models of(p{p, z) which satisfy M' <p;z M for all M' G JA' then M G M.. 

Clearly the set of all models is closed. Further, every closed set must contain all 
<p:z-minimal models of <p(p, z) (let JA' = 0); the empty set is closed iff p{p, z) has 
no minimal model. We define goodness as follows. 

Definition 2.2. A model M of(p{p, z) is good with respect to p; z iff M belongs to the 
least p; z-closed set of models of(p{p, z). 

Notice that good models only exist if a unique smallest closed set exists. The latter is 
immediately evident from the following characterization of goodness. 

Proposition 2.2 ( [8]). A model M of<p{p, z) is good with respect to p; z iff M belongs 
to the intersection of all p; z-closed sets. 

In [8], it was shown how to capture goodness by a sentence Curh{(p{p,z)\p,z) 
whose models are precisely the good models of p{p, z). Similar to circumscription, p 
are the minimized predicates (here under the inclusive interpretation of disjunction), 
z are the floating predicates, and all other predicates are fixed. Curbing is naturally 
formalized as a sentence of third-order logic, given that the definition of the set of good 
models of a theory involves sets of sets of models. However, in [8] it was also shown 
that curbing can be formalized in second-order logic. 

In the present paper we do not need the formal definitions of Curh{p{p, z); p, z) 
in third or second order logic, but we are interested in the problems Curb Inference and 
Curb Model Checking as defined in the introduction. 



2.3 Previous Complexity Results on Propositional Curbing 

Recall that in the propositional case, a structure M is a truth-value assignment to the 
propositional variables. The problems Curb Model Checking and Curb Inference were 
described in the introduction. In [8] it was shown that both problems are in PSPACE, 
and in fact can be solved in quadratic space. 

Two possibilities to approximate the full set of good models by a subset are dis- 
cussed in [8]. The first approximation is to limit iterated inclusion of minimal upper 
bounds. Let us define the notion of a-goodness for ordinals a. 
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Definition 2.3. A model M o/(^(p, z) is Q-good with respect to p and z, if M is <p;z- 
minimal among the models of p. 

A model M o/(^(p,z) is a-good with respect to p and z, if M is a <p;z minimal 
upper bound of a set of models M. of p, such that for each model M' C M. there exists 
an ordinal j3 < a such that M' is j3-good w.r.t. p and z. 

Informally, in the approximation, one chooses only the models that are a-good for 
some a such that ||a|| < |j(5|j, where the ordinal 5 is a limit on the depth in building 
minimal upper bounds. The operator corresponding to such a restricted version of curb- 
ing is denoted by Curb^ . Notice that circumscription appears as the case i5 = 0, i.e. 
Curb^{p{p,z);p,z) is equivalent to Circ{p{p,z);p,z). 

Concerning the computational complexity, the following was shown in [8] : 

Theorem 2.1. For Curb^ (with fixed constant 6) the model checking problem is S 2 
complete, while inferencing is II 2 complete. 

Thus, the inference problem is in the propositional case for finite constant 6 as easy 
(and as hard) as circumscription. 

Another potential approximation to curbing studied in [8] is to limit the cardinality 
of model sets from which minimal upper bounds are formed. Intuitively, this corre- 
sponds to limiting the number of inclusively interpreted disjuncts by a cardinal k > 0. 
The concept of closed^ set is defined by adding in the definition of closed set the con- 
dition “II Al'lj < k”; goodness^ is the relative notion of goodness. 

Clearly, goodnessi is equivalent to circumscription. For k > 2, (i.e. |M| is finite) 
the following result was proven: 

Theorem 2.2 ( [8]). Over finite structures, for every k > 2 a model ofp(p, z) is good^ 
with respect to p; z iff it is good with respect to p; z. 

This result, which fails for arbitrary structures, implies a dichotomy result on the 
expressivity of ^-bounded disjuncts: Either we get only the minimal models, or all 
models obtainable by unbounded disjuncts. Thus the method of bounded disjunction is 
not a really useful approximation. 

3 Main Result: PSPACE Completeness of Theory Curbing 

In this section, we shall prove that inference as well as model checking under curbing is 
PSPACE-complete. Intuitively, the problems have this high complexity since checking 
whether a model is good requests a “proof”, given by a proper collection of models, 
which may have non-polynomial size in general. 

That such large proofs are necessary has been shown by Bodenstorfer [2]. A support 
of a model M in a collection T of models is a subset T' Q T containing M such that 
every M' € .F' is in iF a mub of some models AA Q T' \ {M'}. Note that every 
minimal model M G IF has a support {M} and that all models in a support are good 
models. Furthermore, every good model of T has some support. 

Bodenstorfer has defined a family iF„, n > 0, of sets of models on an alphabet of 
0(n) propositional atoms, such that Tn contains exponentially many models (in n), and 
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Tn itself is the only support of the unique maximal model M„ of JF„. Informally, JFq = 
{{oq}}, and the family is constructed inductively hy cloning Tn- \ and adding some 

sets which ensure that the j maximal model needs all models for a proof of goodness (see 
Figure 3). 



adSW 



aa'Sb aa' Sb' 



aSb aSa' a' Sb' 




a'{T-{S}) 



Fig. 3. Cloning a family T with unique maximal model S 



3.1 Describing the exponential support family Tn 

We describe Bodenstorfer’s family JF„ hy a formula such that JF„ = mod{'Pn)- The 
letters we use are Atn = {aj, a' , 6^, 6' | 1 < z < n} U {ao}. We define the formula 
inductively, where we set and Mq = {ao}, and for n > 1: 

<Pn = {Mn-i A 7„) V A A (a„ ^ A A 

where 

7n = (fln A 6„ A A ^b'„) V (a„ A a'„ A ^b„ A ^b'„) V 
(®n ^f>'n ^ ~^o,n A ^6„) V (a„ A 6„ A A ^b'„) V 
(^n ^ ^ ^ V (o-n A br^ A Ct^ A 6^^), 

— b^n—1 U {ctn; bji^ ^n}' 

Note that the left disjunct of gives rise to six models, which extend M„_i by 
the following sets of atoms: 

An^l — bn \ , Q — 5 i ^n} . C^n,0 — 

{ Q-n 5 ’ and { rtn 5 i b^ } . 

Informally, i (resp., ^„,o) represents the assignment of true (resp., false) to the 
atom a„. The right disjunct of <?„ generates recursively assignments to the other atoms 
o„_i, . . . , ai, such that certain minimal models of represent truth assignments to 
the atoms oi, . . . , a„ (see Figure 4). 

Note that M„ = M„_i U _D„ (i.e., all atoms are true) is, as easily seen, the unique 
maximal model of the formula The set of models of <Pn over Atn, mod{<Pn), defines 
the family JF„ as described in [2]. Thus, each model M G mod{<Pn) is good, and M„ 
requires an exponential size support. 
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ao ai a'j^ 02 Q2 f>2 ^>2 




Fig. 4. The set of models mod($2) 



3.2 Evaluating a quantified Boolean formula on mod 

We now show that a quantihed Boolean formula (QBF) 

F = Qri^(XnQn—l(^n—l ' ' ' 

where each Qi G {V, 3} and (p is a Boolean formula over atoms ai, . . . , a„, can he 
“evaluated” on the collection mod (^„) of good models exploiting the curbing principle. 

Roughly, the idea is as follows: mod(^n) can he layered into n overlapping layers 
of models, where each layer i contains the models which are recursively generated 
by the left disjunct of the formula In each layer we have three levels of models. 
Neighbored layers i and i — 1 overlap such that the bottom level of i is the top level of 
i — 1 (see Figure 5). The minimal models in mod{<Pn) are the bottom models of layer 1, 
and might be considered as the top model of an artificial layer 0. Similarly, the maximal 
model M„ in mod{<Pn) might be viewed as a bottom model of an artificial layer n + 1. 

In order to “evaluate” the QBF F, we will obtain a formula •f'(F) from F by adding 
conjunctively a set of formulas F{F) to Thus F{F) = A F{F). The formulas 
in F will be chosen such that the overall structure of the set of good models of F{F) 
does not differ from the one of the set of models of <?„. In particular, each model M of 
will correspond to some good model f{M) of F{F) which augments M by certain 
atoms that describe the truth status of subformulas of F. 

By adjoining F{F) to we “adorn” the models in mod{<Pn) with additional 
atoms which help us in evaluating the formula F along the layers. At a layer i in 
mod{(Pn), we have hxed an assignment to the variables Oi+i, . . . , a„ already, where 
ttj is true if aj occurs in the model, and aj is false if o' occurs in the model, for all 
j > i + 1 (there are some ill-defined assignments in top elements of layer i, in which 
both Oi+i and occur; these assignment will be ignored). Then, at two sets at the 
bottom of the layer i which correspond to the possible extensions of the assignment to 
Oi+i, . . . , On by setting Ui either true (effected by the set i) or to false (by o), 
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Fig. 5. Layers in mod{$„) 



we “evaluate” the formula Qi-iUi-i ■ ■ ■ Qiai(p{ai, Ui+i, . . . , a„) where the variables 
Ui, ... ,Qn are fixed to the assignment. If that formula evaluates to true, then if Ui is 
true an atom Vi is included (resp., if Ui is false an atom n') at this bottom element. The 
quantifier Qt is then evaluated by including in the top element “above” the two bottom 
sets an atom ti if, in case of Qi = 3, either Vi or n' occurs in one of the two bottom 
elements, and in case of Qi = V, Vi resp. n' occur in the bottom elements. The top 
element is itself a bottom element at the next layer i + 1, and the atom ti is used there 
to see whether the formula QiUi ■ ■ ■ Qiai(p{ai+i, . . . , a„) evaluates to true. 

In what follows, we formalize this intuition. We introduce a set of new atoms At'^ = 
{v^,Vi,ti I 1 < i < n} U {to}- 

The following formulas are convenient for our purpose: 

assi = Qi ^ -^a'i, f < i < n; 

K = i^bi+i V A (oj+i A ^6j+i A I < i < n; 

Ai = Xi A ^Xi-i, 2 < i < n; 

Ai = Ai. 



Informally, asSi tells whether the model considered assigns the atom ai legally a truth 
value. The formula Xi says that the model is at layer i or below. The formula Ai says 
that the model is at layer i. The models at the bottom of layer i which are of interest to 
us are those in which asSi is true; all other models of the entire layer violate asSi. 

At layer i > 1, we evaluate the formula using the following formulas: 

Ai A asSi A ti-i A Ui ^ Vi 
Ai A asSi A ti-i A a'i ^ n' 
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For z = 1, we add 



‘f 



to, 



which under curbing evaluates the quantifier-free part after assigning all variables. De- 
pending on the quantifier Qi, we add a clause as follows. If Qi = 3, then we add 



Ai A {vi V v'i) U; 



otherwise, if Qi = V, then we add 



AiAviAv'i^ U. 



For “garbage collection” of the new atoms used at lower layers, we use a formulas 
trapi which adds all values vj , f' , f' of lower layers to all elements of layer z which 
correspond to an illegal assignment to Oi : 



i-l 

trapi = Ai A ^assi ^ to A ^ Vj A v'j A tj . 

i=i 

Informally, models corresponding to different extensions of an assignment will always 
have a mub which is upper bounded by the bottom model at layer z which is an illegal 
assignment. 

Let the conjunction of all formulas introduced for layer z, where 1 < z < zz, be Fi, 
and let F{F) = Ar=i Then we define 

f(F) = <?>„ Ar(F). 

Note that <P{F) has a unique maximal model Mp, which is given by Mp = M„ U 
{vi, v'i,ti \ 1 < i < n} (i.e., all atoms are true). 

Let us call a model M G mod(F(F)) an assignment model, if either M n Atn = 
Mn, or (b) M \= Ai A assi, i.e., either M extends the maximal model of or M is 
at the bottom of layer z and assigns ai a unique truth value. In case (a), we view M 
at the bottom of an artificial layer n + 1. M represents a (partial) assignment ctm to 
Qi,. . . ,a„ defined by aM{aj) = true if aj G M and aM{o-j) = false if a'- G M, for all 
j = 

We show the following 

Lemma 3.1. For each model M G mod{d>n), there exists a good model f{M) of 
mod{F{F)), such that: 

1. f{M) n Atn = M (i.e., f{M) coincides with M on the atoms of<Pn)i 

2. if M is an assignment model at layer i G {l,...,rz-|-l}, then f{M) contains ti- \ 
iff the formula 

— Qi—lt^i— lQi—2tl2 ' ' ' . . . , ai— \ , (T M istf) , . . . , CT M 



is true 
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3. If M is at layer i G {1, . . . , n} but not an assignment model, then 



f{M) 



U U U S„), ifM = M„_i U ke{0, 1}. 



4. f{Mn) is the unique maximal good model of ’I'(F), and if Qn = V, then tn G 
/(M„) ifff{M„) = Atn U At'^. 

An example of the construction of /(•) for the formula F = Va23ai(a2 — > oi) is 
shown in Figure 6. 



tQV\v'^t\V2v'2t2 




{} {ai} {02} {01,02} 

Fig. 6. Evaluating F = Va23ai(a2 ^ oi): Extending M to f{M) = M U X (X shown) 



Proof. We first note that each model M' of 'P{F) is of the form M U S', where M G 
mod{'Pn) and S C and each M G mod{'Pn) gives rise to at least one such M' 
(just add At'^ to M). 

We prove the lemma showing by induction on n > 0 how to construct such a 
correspondence f{M). 

The base case n = 0 (in which F contains no variables and is either truth or falsity) 
is easy: mod{<Po) = {{ao}} and, if F is truth, then mod{'F{F)) = {{ao,fo}} and 
/({®o}) = {ooAo}, and if F is falsity, then mod{'F{F)) = {{ao}, {ao> fo}} and 
/({ao}) = {ao}. 

Consider the case n > 1 and suppose the statement holds for n — 1. Let M G 
mod{<bn). We consider two cases. 

(1) M 1= A„_i and M ^ a„a'„. Then, M |= a„ ^a'„, and either M is an 
assignment model at the bottom of layer n (in which case, M satisfies the left disjunct 
of <I>n) or some model not at layer n (in which case M satisfies the right disjunct of 
M). In any case, N = M \ {a„, o{j, 6„, b'„} is a model of <Pn-i- By the induction 
hypothesis, it follows that for N we have a good model f{N) of F{F'), where F' = 
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Qn-idn-i ■ • -Qiaw' and = (^[a„/T] (where T is truth) if a„ G M and ip' = 
ip[anl -L] (where _L is falsity) if a'„ G M (i.e., a„ ^ M), such that f{N) fulfills the items 
in the lemma. We define f{M) as follows. If TV C M„_i, then f{M) := M U /(TV); 
otherwise, if TV = TVf„_i, then f{M) = M \J f{N) U Sm, where 



Sm 



0 , iff,_i i f{N); 

{Vn,tn}, iffi -1 G f {N),Qn = 3, and o* G Tlf; 

' Wn,tn}, ifii-1 G f (N),Qn = 3, and a' G M; 

{vn}, if ti - 1 G /(TV), Q„ =V, and a* G TIT; 

{v'„}, if fi_i G f{N),Qn = V, and a' G TIT. 



As easily checked, f{M) is a model of Furthermore, /(TVT) is either a minimal 

model of 'F{F) (if n = 1), or the muh of good models /(TVTi) and f{M 2 ) such that 
Ml , M 2 G mod{'Pn-i), Ml, M 2 C TIT, and TIT is a muh of TVTi , M 2 in mod (^„_ 1 ). (If 
not, then /(TV) were not a muh of /(TVi), /(TV 2 ) in mod{F{F')), which is a contradic- 
tion.) We can see that f{M) fulfills the items 1-3 in the lemma. 

(2) TIT ^ A„_ 1 or TVT 1= a„o(j, i.e., TVT is at layer n but not an assignment model at 
its bottom. We consider the following possible cases for TVT : 

(2.1) TVT = TVT„_i U Bn'. If n = 1, then TVT is a minimal model of <?„, and f{M) = 
TVT U {To} is a minimal model of F{F), thus /(TVT) is a good model of tf'(F); otherwise 
(i.e., n > 2), TVT is a muh of any arbitrary models TVTi, M 2 G mod{<Pn) such that TVTi 
contains a„ and M 2 contains a'„, respectively, and Mi \ {o„, a'n, bn, b'n} C TVT„_i, for 
i G {1,2}. Since, by construction, f{Mi) C TVT„_i U =: f{M), this set is an 

upper bound of /(TVTi) and /(TIT 2 ) in mod{F{F))', from formula trapn-i it follows 
that /(TIT) is a muh of /(TVTi),/(TVT 2 ). Thus, /(TVT) is a good model of F{F). 

{2.2) M = TlTn-iUCn^fc, fc G (0, 1}: As easily checked, /(TIT) = /(TVT„_i U A„_fe)U 
/(TVT„_i U i?„) (=TVT„_i U U S'M„_iuA„,fc) is a model of F{F). Since, as already 
shown, both /(TVT„_i U An,k) and /(TVT„_i U Bn) are good models of F{F), clearly 
f{M) is a muh of them and thus a good model of F{F). 

(2.3) TVT = Mn'. We define 



/(TVT) = /(TVT„_i U Cn,o) U /(TVT„_i U C„.i) U 



{tn}, if = V and u„, v'n G 
0, otherwise. 



Observe that f{M) = Mn U At'n_i U X, where X C {vn,v'n,tn}. Then, as easily 
checked, /(TVT) is a model of F{F). Clearly, }{M) is a muh of /(TVT„_i U Cn,o) and 
/(TVT„_i U Cn,i), and thus, f{M) is a good model of F{F). 

We now show that /(TVT) in (2.1)-(2.3) satisfies items 1-3 in the lemma. Obviously, 
this is true for (2.1) and (2.2). For the case (2.3), from the definitions of /(•) in (1) and 
(2.1)-(2.2) it follows that G /(TVT) if and only if f„_i G /(TVT„_i U An,k) holds for 
for some k G {0, 1} if Qn = 3 and for both k G (0, 1} if Qn = V. By the induction 
hypothesis, tn-i G /(TlT„_i U An,k) is true iff the QBF Qn-iUn-i ■ ■ ■ Qiaiip' , where 
if' = <p[a„/T] if fc = 1 and tp' = (p[a„/_L] if fc = 0, is true. Thus, G f{M) iff the 
QBF F is true. Hence, f{M) satisfies items 1-3 of the lemma. 

As for property 4, Furthermore, in the case where = V, we have by definition of 

/(TVT) thatf„ G /(TVT) iff /(TVT) = TVT„ U U = AtnUAt'n. 
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Finally, it remains to show that /(M„) is the unique maximal good model of 'P(F). 
As easily seen, every finite propositional theory which has a unique maximal model 
has a unique maximal good model, thus 'f'(F) has a unique maximal good model M' . 
From the induction hypothesis, it follows that Mk = U fe) is the unique 

maximal good model of ^{F) such that M' n C M„_i U fc, for k € {0, 1}. 

Since M 2 = is the unique maximal good model TV of ’P(F) such that 

N n Atn C Mn -1 U Bn, wc couclude from the structure of layer n, which has the 
lub property (see Section 4), that M' is a mub of Mg, Mi, M 2 . Since, by construction, 
f{M) is an upper bound of Mi, M 2 , M 3 , it follows M' = f{M). 

This proves that the claimed statement holds for n, and completes the induction. 

□ 



We thus obtain the following result. 

Theorem 3.1. 1. Given a propositional formula G and a model M of G, deciding 
whether M is a good model ofG is PSPACE-hard. 

2. Given a propositional formula G and an atom p, deciding whether Curb{G) ^ p 
is PSPACE-hard. 

Proof. By items 2 and 4 in Lemma 3.1, M = Atn U At'n is a good model of 'F{F) for 
a QBF F = VanQu-itin- 1 • • • QictiP iff F is true. Furthermore, F is false if and only 
if no good model of F{F) contains f„. Deciding whether any given QBF of this form 
is true (resp. false) is clearly PSPACE-hard, and the formula tf'(F) is easily constructed 
in polynomial time from F. This proves the result. □ 

Combined with the previous results [ 8 ] that Curb Inference and Curb Model Check- 
ing are in PSPACE, we obtain the main result of this section. 

Theorem 3.2. 1. Curb Model Checking, i.e., given a propositional theory T and sets 
p, z of propositional letters, deciding whether M is a p; z,-good model of T is 
PSPACE-complete. 

2. Curb-Inference, i.e., given a propositional theory T, sets p; z of propositional let- 
ters, and a propositional formula G, deciding whether Curb(T; p,z) ^ G is 
PSPACE-complete. 



4 The Lub Property 

While curbing of general theories is PSPACE-complete, it is possible to identify spe- 
cific classes of theories on which curbing has lower complexity. In this section, we 
identify a relevant fragment of propositional logic for which curb-inference is in Fl^ . 

Definition 4.1. A theory T has the lub property iff every nonempty set S of good models 
has a least upper bound (lub) M. 



Lemma 4.1. Let Si, S 2 be nonempty sets of good models of theory T such that S\ C 
S 2 , and let M\, M 2 be mubs of S\ and S 2 , respectively. If Mi is the lub of Si, then 
Ml < M2. 
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Theorem 4.1. If theory T has the lub property, then a model is good iff it is 1-good. 

Proof. Prove by induction on a that if model M is ct-good, then it is 1-good. Obvious 
for a < 1. Assume a > 1. Then, M is a muh of 5 = {M' : (< a)-good(M'), M' < 
M}. Now, by the hypothesis, each M' C 5 is the mub of some S' C S which contains 
only minimal models. Let Sm be the minimal models from S. If Sm = 0, then M is a 
minimal model and the statement holds. Else Sm has a lub Mm. From the unique mub 
property and Lemma 4.1, it follows that M' < Mm for each M' G S. Thus Mm is an 
upper hound of S, hence M < Mm. On the other hand, since Sm Q S, it follows from 
Lemma 4. 1 that Mm < M. Since < is a partial order, it follows Mm = M. Thus M is 
1-good and the statement holds. □ 



Corollary 4.1. For propositional theories T having the lub property. Curb Inference is 
in II 2 , and Curb Model Checking is in 

Proof. To show Curh{T) ^ F, guess a model M of Curb{T) such that M ^ F. To 
verify M, guess k from {0, . . . , |C|}, where V is the variable set, and minimal models 
Ml , . . . , Mfc of T such that M is a mub of them. Use an NP oracle for testing whether 
Mi is minimal (is in coNP) and for testing if M is a mub of the Mi (is in coNP). □ 

Notice the following characterization of lub theories. 

Delinition 4.2. A theory T is mub-compact over a domain iff every good model is a 
mub of a finite set of good models. 



Theorem 4.2. Let T be a mub-compact theory over some domain. Then T has the lub 
property iff every pair of good models has a lub. 

Proof. (Sketch) To show the //direction, demonstrate by induction on finite cardinality 
K that every set S such that ||5|| < k has a lub. For k < 2, this is obvious. For k > 2, 
let M C 5 be a maximal element in S. By the hypothesis, S — {M} has a lub M' . M 
and M' have a lub M" , which must (Lemma 4. 1) be the lub of S. □ 



Corollary 4.2. If the domain is finite and the models ofT form an upper semi-lattice, 
then T has the lub property and a model is good iff it is 1-good. 

As already mentioned in the introduction, Scarcello, Leone, and Palopoli [21] de- 
rived complexity results for curbing Krom theories, i.e., clausal theories where each 
clause contains at most two literals. They showed that Curb Model Checking for propo- 
sitional Krom theories is in E 2 . To establish this result, they showed that the union of 
any pair of good models of a propositional Krom theory is also a good model. From 
this it clearly follows that propositional Krom theories enjoy the (more general) luh 
property. Hence their E 2 upper hound and, in addition, a II^ upper bound for curb 
inferencing can also be derived via our more general results. 
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5 Good Models and Least Upper Bounds 

The lub property defined in Section 4 requires that all nonempty collections of good 
models of a theory have a lub. Let us weaken this property by requiring merely that for 
every non-minimal good model M there exists a collection of models whose lub is M. 

Definition 5.1. A theor T has the weak least upper bound (weak lub) property, if every 
non-minimal good model ofT is the lub of some collection A4 of good models ofT. 

Notice that the lub property implies the weak lub property, but not vice versa. This 
is shown by the following example. 

Example 5.1. Suppose the models of a propositional theory T are the ones shown in 
Figure 7. All models are good, and Mi = {a, 6, c}, M 2 = {6, c, d} are the lubs of 



abc bed 




abed 



Fig. 7. The weak lub property does not imply the lub property 



the collections {{a}, {6}, {c}} and {{6}, {c}, {d}}, respectively. However, the good 
models {6} and {c} do not have a lub; thus, the theory satisfies the weak lub property 
but not the lub property. 

Intuitively, if a theory satisfies the weak lub property, then any good model M in a 
collection M. of good models can be replaced by a collection Ai' of good models whose 
lub is M, without affecting the mubs of the collection, i.e., A4 has the same mubs as 
Ad\{M}UAd'.By repeating this replacement, AA can be replaced by a collection A4* 
of minimal models that has the same mubs as A4. This is actually the case, provided 
that the collection of good models has the following property. 

Definition 5.2. The collection of good models of a sentence p is well-founded if every 
decreasing chain Mq D Mi 3 • • • of good models has a smallest element. 

Notice that in the context of circumscription, theories were sometimes called well- 
founded if every model M of a sentence p includes a minimal model of p [14]. That 
notion of well-foundedness is different from the one employed here. 

The collection of good models of a theory is not necessarily well-founded, as shown 
by the following example. 
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Example 5.2. Consider the theory T on the domain Z of all integers: 

ip = (yx){p{x) < — > a: < 0)) V (3a: > 0)(V?/)(p(?/) < — > ^(1 <y< x)) V 
(3x > 0)(Vy)(p(y) < — > (p > x) V (-x < y < 0)) 

Informally, T says that the numbers having property p are either all the negative num- 
bers (Z“ = { — 1, —2, . . .}), all numbers except some interval [1,2,..., k], k > 0, 
or all nonnegative numbers where the interval [0,k], k > 0, is replaced by the in- 
terval [—k, —0]. All models of T are good. The minimal models are Z” and Nk = 
{Nq \ [0, k]) U [—k, —0], k > 0; every model Mk = Z \ [1, k], A: > 0, is a mub of the 
models Z" and Nk (see Figure 8). Clearly, Mq D Mi 3 • • • D Mi ^ , i G uj, forms 

Mo = Z = {. . . , -2, 1, 0, 1, 2, . . .} 




Afo = {0, 1,2, . . .} = {-1,0,2,3, . . .} A?2 = {-2, -1,0, 3,4, . . .} = {. . . , -3, -2, -1} 

Fig. 8. A collection of good models that is not well-founded. 



a decreasing chain of good models. This chain has no smallest element, and hence the 
collection of good models of T is not well-founded. □ 

Theorem 5.1. Let p be a first-order sentence such that the collection of good models 
of p is well-founded. If p hast the weak lub property, then every good model is either 
minimal or the lub of some collection of minimal models. 

Proof. We show this by contradiction. Assume the contrary holds. Let B be the set of 
good models which are not the lub of some collection of minimal models; note that B is 
not empty. Since the collection of good models is well-founded, B must have a minimal 
element M. (To obtain such an M, construct a maximal chain in B, and take the unique 
minimal element of this chain, which must exist). Since p has the weak lub property, 
M is the mub of some collection S of good models. The definition of B and the weak 
lub property of p imply that every M' G S is the lub of a collection Sm' of minimal 
models. Let S' be the union of all these Sm'- We show that M is the lub of S' . Clearly, 
M is an upper bound of S' . Assume then that M is not a minimal. Then there exists a 
good model M' < M which is an upper bound of S' . But this M' is also an upper bound 
of S. This means that M is not a mub of S, which is a contradiction. It follows that M 
is a mub of S' . On the other hand, every upper bound M' of S' must satisfy M < M' . 




18 



Thomas Eiter and Georg Gottlob 



Therefore, M is the unique mub of S' . Consequently, M is the unique minimal upper 
bound of a collection of minimal models. By definition, this means M ^ B. This is a 
(global) contradiction. □ 

The converse of this theorem (which is equivalent to the statement that a theory, if 
every good model is either minimal or the lub of some collection of minimal models, 
is well-founded) is not true. This is shown by Example 5.2. Furthermore, this theo- 
rem does not hold if the collection of good models is arbitrary. This is shown by the 
following example. 

Example 5.3. Replace in Example 5.2 every model Mi, i G w, by the two models 
M“ = Mi U {a} and M^ = Mi U {6} and extend the domain with the new elements a 
and b. 

In the resulting collection of models, which is clearly axiomatizable by a first-order 
sentence (p, every model is good and the lub of some collection of good models (Mf is 
the lub of {Ni, and Mf of {Ni, all other models are minimal). How- 

ever, no is the lub of a collection of minimal models. Notice that each good model 
is the lub of two good models and 1-good. □ 

From Theorems 5.1 and 2.1, we immediately get the following complexity results 
for propositional theories. 

Theorem 5.2. For propositional theories which enjoy the weak lub property, the prob- 
lem Curb Model Checking is in , while the problem Curb Inference is in U^. 

A possible attempt to strengthen the weak-lub property is to use ordinals. Say that 
the collection of good models of a theory has the inductive weak-lub property, if every 
non-minimal a-good model is the lub of a collection of (< a)-good models. Notice that 
collection of good models in Example 5.2 has the inductive weak-lub property (which, 
as a consequence, does not imply well-foundedness). However, the following result is 
an easy consequence of our results from above. 

Theorem 5.3. Let p be a first-order sentence whose collection of good models is well- 
founded. Then, it has the inductive weak-lub property if and only if it has the weak-lub 
property. 

Proof. The only if direction is trivial. The if direction follows from Theorem 5.1. □ 
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We handle finite graphs in two ways, as relational structures on the one hand, 
and as algebraic objects, i.e., as elements of algebras, based on graph operations 
on the other. 

Graphs as relational structures 

By considering a graph as a relational structure (consisting typically, of the set 
of vertices as domain and of a binary relation representing the edges), one can 
express graph properties in logical languages like First-Order Logic or fragments 
of Second-Order Logic. The purpose of Descriptive Complexity is to relate the 
complexity of graph properties (or more generally of properties of finite relational 
structures) with the syntax of their logical expressions, and to characterize com- 
plexity classes in logical terms, independently of computation models like Turing 
machines. 

The logical expression of graph properties raises also satisfiability problems 
for specific classes of graph, namely the problems of deciding whether a given 
formula of a certain logical language is satisfiable by some graph belonging to a 
fixed class. 

Mouadic Secoud- Order Logic 

As main logical language, we will consider Monadic Second-Order Logic, i.e., the 
extension of First-Order Logic with variables denoting sets of elements of the 
considered structures. Despite the fact that it does not correspond exactly to 
any complexity class, this language enjoys a number of interesting properties. 

First, it is rich enough to express nontrivial graph properties like planarity, 
/c- vertex colorability (for fixed k), connectivity, and many others (that are not 
expressible in First-Order Logic). 

Second, it is an essential tool for studying context-free graph grammars. In 
particular, certain graph transformations expressible by Monadic Second-Order 
formulas behave very much like Rational Transductions (or Tree Transductions) 
used in the Theory of Formal Languages. 

* This research is supported by the European Community Training and Mobility in 
Research network GETGRATS. 
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Third, the verification, optimization and counting problems, expressible in 
Monadic Second-Order logic are efficiently solvable for certain classes of ’’hi- 
erarchically structured graphs” i.e., of graphs built from finite sets of graphs 
by means of finitely many graph operations. (This the case of the well-known 
class of partial k-trees, equivalently, of graphs of tree width at most k). We 
will discuss this second way of handling graphs shortly. Let us precise here that 
a verification (or model checking) problem consists in testing whether a given 
graph from a certain class is a model of a fixed closed logical formula (here a 
Monadic Second-Order formula). An optimization problem consists in computing 
for a given graph (from a certain class), the minimum (or maximum) cardinality 
of a set of vertices satisfying a fixed formula with one free set variable, again of 
Monadic Second-Order Logic. The length of a shortest path between two spec- 
ified vertices and the maximum size of a planar induced subgraph in a given 
graph are expresible in this way. A counting problem consists in counting the 
number of sets satisfying a given formula. The number of paths between two 
specified vertices is of this form. 

Graph operations 

The algebraic approach to graphs pertains to the extension to sets of finite (and 
even countably infinite) graphs of several notions of Formal Language Theory 
based on the monoid structure of words. Two basic such notions are context- 
freeness and recognizability (defined in terms of finite congruences). The graph 
operations we will consider can be seen as generalizations of the concatenation 
of words, or of the construction of a tree from smaller trees connected by a new 
root. 

From an algebra of finite graphs, generated by finitely many graph operations 
and basic graphs, one obtains: 

— a specification of its graphs by algebraic terms: this yields a linear notation 
for these graphs, and also a background for inductive definitions and proofs, 

— a notion of context-free graph grammar formalized in terms of systems of 
recursive set equations having least solutions: this is, by far, the easiest and 
most general way to handle context-free graph grammars, 

— an algebraic notion of recognizability, defined in terms of finite congruences; 
an algebraic notion is useful because there is no appropriate notion of finite- 
state automaton for graphs except in very special cases; however, algebraic 
recognizability yields finite-state tree automata processing the syntax trees 
of the considered graphs. 

Provided the graph operations are compatible with Monadic Second-order logic 
(this notion has a precise definition), we also obtain linear algorithms for every 
verification, optimization or counting problem expressed in Monadic Second- 
Order Logic, on the graphs of the corresponding algebras. These algorithms 
are based on tree automata traversing the syntax trees of the given graphs, 
and these automata exist because Monadic Second-Order Logic is equivalent to 
recognizability on finite graphs. 
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A drawback of this theory is that we cannot handle the class of all finite 
graphs as a single finitely generated algebra based on operations compatible 
with Monadic Second-Order Logic. But this is unavoidable, unless P = NP. 



Context-free graph grammars and Monadic Second-Order Logic 

There exist only two classes of context-free graph grammars. They are called the 
HR Grammars (HR stands for hyperedge replacement) and the VR Grammars 
(VR stands for vertex replacement) . The corresponding classes of sets of graphs 
are closed under graph transformations expressible in Monadic Second-Order 
Logic, and are generated from the set of binary trees by such transformations. 
Hence, the classes HR and VR are robust and have characterizations indepen- 
dent of any choice of graph operations. This establishes a strong connection 
between context-free graph grammars and Monadic Second-Order Logic, and, 
more generally, between the two ways we handle graphs. 



Graph operations compatible with Monadic Second-Order Logic 

The graph operations we know enjoying the desired ’’compatibility properties” 
are the following ones, dealing with fc-graphs, i.e., with graphs the vertices of 
which are colored with k colors (neighbour vertices may have the same color): 

(a) disjoint union of two fc-graphs, 

(b) uniform change of color (i.e., all vertices of the input /c-graph colored by p 
are then colored by q), for fixed colors p, q, 

(c) redefinition of the (binary) edge relation of the structure representing the 
input /c-graph by a fixed quantifier-free formula using possibly the k color 
predicates, 

(d) an operation that fuses all vertices of the input /c-graph having color p into 
a single one, for fixed color p. 

The edge complement is an example of an operation of type (c) (its definition 
needs no color predicate). 

For generating graphs, the operations of the forms (c) and (d) can be replaced 
by operations of the restricted form: 

(c’) addition of edges between any vertex colored by p and any vertex colored by 

9 , 

at the cost of using (many) more colors. (See [6]). 

The clique-width of a graph G is defined as the minimal number k of colors 
that can be used in an algebraic expression denoting this graph and built from 
one- vertex graphs and operations of the forms (a), (b), (c’) (using only these k 
colors). This complexity measure is comparable to tree- width, but stronger in 
the sense that, for a set of finite graphs, bounded tree-width implies bounded 
clique-width, but not vice versa. (See [1,6,7]). 
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The HR context-free graph grammars are those defined as systems of equa- 
tions using operations (a), (b) and (d). The VR context-free graph grammars 
are those defined as systems of equations using operations of all four types. (See 
[ 6 ]). 

Summary of the lecture 

In a first part, we will review these notions, we will give various examples of 
graph operations and of Monadic Second-Order graph properties ([2, 5, 6, 7]). In 
a second part, we will focus our attention on the ’’compatibility” conditions 
mentioned above and on operations of type (c) and (d): we will review results 
from [5]. In a third part, we will present the following open problems: 

1. The parsing problem: What is the complexity of deciding whether the clique- 
width of a given graph is at most k? It is polynomial for k at most 3, NP 
otherwise ([!])• Is it NP complete for fixed values of k? For the algorithmic 
applications, one needs an algorithm producing not only a ”yes/no” answer 
but also an algebraic expression in case of ”yes” answers. 

2. Alternative complexity measure: Can one define a complexity measure equiv- 
alent to clique-width (equivalent in the sense that the same sets of finite 
graphs have bounded ’’width”), such that the corresponding parsing prob- 
lem is polynomial for each value fc? 

3. Countable graphs: From infinite expressions using the operation of types (a), 
(b), (c’), one can define the clique- width of a countable graph G. It may be 
finite but strictly larger than the maximum clique- width of the finite induced 
subgraphs of G. How large can be the gap? Is there an equivalent complexity 
measure for which there is no gap? Preliminary results can be found in [4] . 

4. An open conjecture by Seese: If a set of finite or countable graphs has a 
decidable satisfiability problem for Monadic Second-Order Formulas, then it 
has bounded clique-width. The result of [4] reduces this conjecture to the 
case of sets of finite graphs, but the hard part remains; partial results have 
been obtained in [3]. 

More open problems can be found from: http://dept-info.labri.u-bordeaux.fr/ 
'courcell/ActSci.html. A list of results on clique-width is maintained on the 
page: http://www.laria.u-picardie.fr/~vanherpe/cwd/cwd.html 
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Abstract. We demonstrate that the class of functions computed by 
first order functional programs over lists which terminate by multiset 
path ordering and admit a polynomial quasi-interpretation, is exactly 
the class of function computable in polynomial time. The interest of this 
result lies on (i) the simplicity of the conditions on programs to certify 
their complexity, (ii) the fact that an important class of natural programs 
is captured, (iii) potential applications for program optimisation. 



1 Introduction 

This paper is part of a general investigation on the implicit complexity of a 
specification. To illustrate what we mean, we write below the recursive rules that 
compute the longest common subsequence of two words. More precisely, given 
two strings u = ui - • • Um and v = v\ • • ■ Vn oi {0, 1}*, a common subsequence of 
length k is defined by two sequences of indices < • ■ ■ < ik and ji < • • • < jk 
satisfying . 

lcs{e,y) -> 0 

lcs(a:, e) ^ 0 

lcs(i(a:), i(y)) ^ lcs(a;, y) + I 

lcs(i(x), j(y)) ^ max(lcs(x, j(j/)), lcs(i(a;), y)) i yf j 

The number of recursive calls is exponential because of the recomputing values. 
So, the execution of this specification would be unrealistic, and moreover, it is 
well-known that this problem is efficiently solved by a dynamic programming 
algorithm. Our purpose is to analyse a source program, such as the specification 
above, to determine the computational complexity of the function computed. 
The next step is to generate an efficient implementation of the function denoted 
by the source program. Practically, we address the question of the efficiency of 
a program which is crucial, in particular in the context of semi-automatic pro- 
gram constructions. For example, Benzinger [5] has developed a prototype which 
analyses the complexity of a program extracted from a Nuprl proof. The same 
problem motivates Crary and Weirich in [13] who introduce a type system to 
take into account the resources involved in a computation, see also [19]. Our ap- 
proach is different because the complexity analysis must diagnose the intentional 
behaviour of data, and thereby help us to interpret programs more efficiently. 
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In this paper, we present an interpreter which carries out online memo- 
izing and runs in polynomial time on a non-trivial class of first-order func- 
tional programs over lists. The class of programs involved consists of programs 
which (i) terminate by multiset path ordering and (ii) admit a polynomial quasi- 
interpretation. 

This interpreter is similar to the interpreter of cons-free WHILE programs 
defined by Jones [21,22,23]. (See also the recent work of Liu and Stoller [29]) This 
technique was initiated by Cook in [12] to demonstrate that languages which are 
recognised by 2-way pushdown automata are exactly polynomial time languages. 

The program analysis combines and depends on one the hand on the pred- 
icative analysis of recursion and on the other hand on term orderings. 

The predicative analysis of recursion was initiated by Bellantoni and Cook [3] 
and by Leivant [27,26] who characterised polynomial time computable functions 
(PTIME). The analysis permits us to separate the active data in a recursion 
from the others, by assigning tiers to data. In essence, those characterisations are 
extensional. So many polynomial time algorithms are ruled out by the mecha- 
nism of data tiering. These intentional gaps were first coped by Caseiro in [7] and 
then by K. Aehlig and H. Schwichtenberg [1], Bellantoni, Niggl and Schwichten- 
berg [4], Hofmann [17,18], and Leivant [28] in their studies on characterisations 
of PTIME by mean of higher type recursions. 

Term orderings play a central role in proving the termination of term rewrit- 
ing systems, and of the programs that we shall consider. The Multiset path 
ordering (MPO) was introduced by Plaisted [32] and Dershowitz [14]. A pred- 
icative analysis of recursion leads in [30] to the introduction of the term ordering 
light multiset path ordering (LMPO). It was established that LMPO captures a 
significant class of algorithms. However, because of the underlying data-tiering, 
it was not permitted to iterate non-size increasing functions [17], for example. 

The solution proposed in this paper is the outgrowth of the work [30] on 
LMPO^ and includes several improvements. Firstly, the new approach does not 
refer to data-tiering but uses it to build a predicative analysis which leads to 
a time resource bound certification. Secondly, the definition of the class of pro- 
grams is much simpler and is closer to programming practice than the definition 
of LMPO. Thirdly, the class of programs delineated allows iteration on non-size 
increasing functions and recursive templates like Ics above. Finally, we could 
use this result to analyse proof search based on ordered resolution as proposed 
by Basin and Ganzinger [2], for example. 

In the next section we give the definition of the first order functional pro- 
gramming language. In Section 3, we define the multiset path ordering, MPO, 
and a variant called MPO' . We see that the class of functions which terminate 
by MPO and MPO' is the class of primitive recursive functions. In Section 4, we 
present the light multiset path ordering, LMPO. It turns out that the class of 
functions which terminate by LMPO is exactly the class of functions which are 
computable in polynomial time. We sketch the proof and we present call by value 
interpreter which uses a cache. In Section 5, we introduce quasi-interpretation 

^ We presuppose no familiarity with [30] 
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and we state our main result. (Section 5 might be read independently from 
Section 4.) The last section is devoted to the proof of the main result. The 
proof consists to transform a program, which terminates by MPO' and admits 
a quasi-polynomial interpretation, into a LMPO-program. 

2 First Order Functional Programming 

We shall consider first order programs over constructors which resemble ELAN 
programs, or a first-order restriction of HASKELL or ML programs. Throughout 
the following discussion, we consider four disjoint sets X,T,C,S of variables, 
function symbols, constructors and sorts. 



2.1 Syntax of Programs 

Definition 1. The sets of terms, patterns and function rules are defined in the 
following way: 



(Constructor terms) T(C) 9 u 
(Ground terms) T(C,lF)9s 

(terms) T(C,1F, A)9 

(patterns) V 3 p 

(rules) T> ^ d 



where x & X , f G IF, and c G C^. 



,Un) 

*-(^1, * * * , Sn^ I f{si, * * * , Sn) 
,tjf) I f{t\,‘‘' ,tjf) 
,Pn) I X 
f{PlG" ,Pn) ^t 



Definition 2. An untyped program is a quadruplet main = {X ,C, (F ,E) such 
that: 

— £ is a set of V-rules. 

— Each variable in the right-hand side of a rule also appears in the left hand 
side of the same rule. 

— main is the main function symbol of main. 

The size |t| of a term t is the number of symbols in t. It is defined by |c| = 1 
and |/(ti,- • • ,tn)\ = 1 + J27=i where f gCUE. 

2.2 Typing Programs 

Definition 3. Let S — {si, • • • , s„} be a set of sorts. The set of types built from 
S is Types 9 r ::= s ^ r|s 

Notice that each type is of the form si — > (• • • ((s„) — > s) • • • ) and so denotes 
a function. We write it as (si, • • • , s„) ^ s. 



2 



We shall use type writer font for function symbol and bold face font for constructors. 
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Definition 4. A typing environment is a mapping F from A” IJ C IJ iF to Types 
which assigns to each symbol f of arity n > 0 a type F{f) = (si, • • • , s„) ^ s, 
and, to each symbol of arity 0 a sort. 

Definition 5. Let F be a typing environment. A term t € T{C,T,X) is of type 
s, noted t : s, iff: 

— t is a symbol of arity 0 and F{f) = s. 

- t = f{ti, ■■■ , tn), U : Si and F{f) = (si, • • • , s„) ^ s. 

Definition 6. A typed program is a sextuplet main = {X,C,F,S,S, F) such 
that {X ,C,T ,£) is an untyped program and for each rule 

f{pi, • • • ,Pn) t, the type of f(j>i, ■ ■ • ,Pn) and of t are the same with respect 
to F. 

Throughout the paper, we assume that we are talking about a typed program 
called main. We shall not explicitly mention {X,C,F,£,S,F). Also, / : F{f) is 
an abbreviation for / is of type F{f). 

Example F Given a list list of type List(Nat), sort(fot) sorts the elements of 
list. The algorithm is the insertion sort. The sorts are S = {bool, Nat, List(a)} 
where a is a type variable, i.e. can be instantiated by any type s G 5. (This 
construction does not belong to our programming language but is admissible.) 
Constructors are C = (tt : bool,ff : bool, 0 : Nat, sue : Nat — > Nat, nil : 
List(a),cons : a x List(a) List(a)}. 

if_then_else : bool, a, a ^ a 

if tt then x else y — > a; 
if ff then x else y y 

_<_ : Nat, Nat ^ bool 

0 < suc(y) — > tt 
a; < 0 ^ ff 

suc(a;) < suc(y) ^ x < y 

insert : Nat, List(Nat) ^ List(Nat) 

insert(a, nil) ^ cons(a, nil) 
insert(a, cons(6, ^)) ^ if a < 6 then cons(a, cons(6, 1)) 

else cons(6, insert(a, 1)) 



sort : List(Nat) — > List(Nat) 

sort(nil) nil 

sort(cons(a, ?)) — > insert(a, sort(^)) 
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2.3 Semantics 

The set S of rules induces a rewrite system. We recall briefly some basic no- 
tions of rewriting theory. For further details, one might consult Dershowitz and 
Jouannaud’s survey [15]. The rewriting relation — > induced by a program main 
is defined as follows, t ^ s if s is obtained from t by applying one of the rules 

of E. The relation — > (^) is the transitive (reflexive-transitive) closure of 
Lastly, t^s means that t^s and s is in normal form, i.e. no other rule may be 
applied. A ground (resp. constructor) substitution is a substitution from X to 
T{C,T) (resp. T(C)). 

Since our intention is to interpret a program by a function, an important 
property is that each term have a unique normal form, if it exists. Henceforth, we 
just consider consent programs, that is programs for which the induced relation 
— > is confluent. In particular, our definition includes orthogonal programs which 
are confluent [20] . A program is orthogonal if in addition there are no overlapping 
rules. 

We now give the semantics of (confluent) programs, based on the “standard” 
interpretation. The domain of the interpretation is the constructor algebra T (C). 
Hence, we only consider normal forms in T(C) as being defined. Closed terms 
are interpreted by elements of the algebra T(C)/£, that is the initial algebra of 
the class of models of the set of program rules £. 

Definition 7. The semantics of a type s is the set of constructor terms whose 
type is s. That is |s] = {t : s | t G T(C)}. 



Definition 8. Let main he a program and r{main) = (si,--- , s„) ^ s. The 
function computed by main is |main] : |si] x • • • x |s„] i-^- |s] which is defined 
as follows. For all Ui G |si], |main](Mi, • • • , Un) = v iff main{ui, • • • , Un)^v and 
V G |s], otherwise |main](ui, • • • ,u„) is undefined. 

3 Termination Orderings 

3.1 Multiset Path Ordering 

The Multiset Path Ordering (MPO) is a syntactic termination ordering which 
was introduced by Plaisted [32] and Dershowitz [14]. MPO is widely employed 
to prove program terminations. We briefly describe it together with some basic 
notions which we shall use later on. 

A multiset M is a finite mapping M : T{C,iF,X) IN which associates to 
each term t the number M{t) of occurrences of terms t in M . An ordering ^ on 
terms induces an ordering on multisets. 

Definition 9. M N iff there is a term s such that M{s) > N{s) then there 
is a term t such that s ^t and M{f) < N{t). 
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A precedence (strict precedence is quasi-ordering (total ordering) 
on the set T of function symbols. Define the equivalence relation Wjr as f g 
iff f g and g f . It is worth noting that we shall consider constructors as 
minimal symbols with respect to and all variables are incomparable. 

From we define the permutative congruence « as the smallest equivalence 
relation on terms which satisfied /(fi,-’’ jfn) ~ ff(si)’’’ jSn) if / 9 and 

ti « for some permutation tt over { 1 , • • • , n}. 

Definition 10. The multiset path ordering <mpo is defined recursively by 

f ■ S ^rapo /('*' 5^2?'*’) I'f f J~ and S f^mpo ti 

2. c(si , • • • , Sfi) ^mpo f{fl 7 ’ ’ ’ 7 fm ) if ^rnpo ,tra), for i < U, 

and c G C, f G T . Note that c can he a 0-ary. 



3. 


g{si,--- 


, Sttt.) ^rnpo 


/(fl7- 


5 ^n) ? ~^mpo 


,tn), for 


VI 




and g f. 










1 


g{si,--- 


, ^TTT,) ^rnpo 


/(fl7- 


5 tn) 2 / {51 , * * * , 


■^m} ^mpo |fl7 


? ^n} 




and g ~ 


/■ 










where ^mpo 


— ^mpo tj ^ 











3.2 A Restriction of MPO 

We introduce a termination ordering MPO' by restricting the multiset ordering 
of MPO. We shall see that both orderings define the class of primitive recursive 
functions. 

Definition 11. Let M = {mi, • • • , m^} and N = jni, • • • , Up} be two multisets 
with the same number of elements, M N iff M N and there exists a 
permutation tt such that: 

— 3i <p such that rrii -< nTr(i), 

- Vj < p, mj -< n^(j) or mj « . 

Definition 12. The ordering MPO' is defined by replacing by in Def- 
inition 10. 

Proposition 1. ^mpo is an extension of <rnpo' , that is s ^mpo' t implies 
S ^mpo t. 

Proof. Immediate by observing that is an extension of . 

A program is terminating by MPO' (resp. MPO) if there is a precedence on 
T such that for each rule ^ ^ r of 5, we have r <mpo' I (resp. ^mpo)- 

Example 2. 

1. By putting if_then_else -<j: _<_ -<j: insert -<j: sort, we see that the 
program written in Example 1 terminates by MPO' . 
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2. The following program computes the exponential. It is convenient to identify 
0 with 0 and suc(n) with n+ 1. Henceforth, we write n instead of suc”(0). 
In the same way, n + m stands for suc”+™(0). The program is ordered by 
MPO' with d -<jr exp. 



d : Nat — > Nat and |d](n) = n + n 

d(0) ^ 0 

d(suc(a;)) ^ suc(suc(d(a;))) 

exp : Nat ^ Nat and |exp](n) = 2" 

exp(O) suc(O) 
exp(suc(a;)) ^ d(exp(a;)) 

Define Prog(MPO') as the set of programs which terminate by MPO' . A pro- 
gram of Prog(MPO') is constructed following some templates which are defined 
by the ordering MPO' . It is a particular case of “un-nested multiple recursion”. 
Typical examples of such templates are illustrated by inf in Example 1 and by 
Ics in Example 3(3). 

Now, define SPR as the following class of programs. 

A program {X,C,P,£) is in SPR if (i) there is a strict precedence on the 
set F of defined function symbols, and (ii) each rule is of the following form: 



Explicit definition assuming that for each symbol h in t, we have h -<jr f 
,Pn) 

Primitive recursion assuming that g, h -<j- f 

f(0,a:i, • • • ,Xn-i) g(a^i, • • • ,x„-i) 
f(suc(t),a:i, • • • ,x„-i) ^h{t,xi,--- , x„_i, f (t, a;i, • • • 

It is not difficult to see that the class of functions ¥{SPR) computed by SPR 
is exactly the class of primitive recursive functions. 

On the other hand, it is routine to check that each SPR rule is terminating 
byMPO'. Next, by proposition 1, each program which terminates by MPO' 
also terminates by MPO. Hofbauer in [16] demonstrated that functions which 
terminate by MPO are exactly primitive recursive functions. So as a corollary, 
we state 

Corollary 1. The class of functions ¥{MPO') computed by a confient pro- 
gram which terminates by MPO' is exactly the class of the primitive recursive 
functions. 
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So, we have two sets of programs, Prog(MPO') and Prog{SPR), which are 
extensionally equivalent, i.e. F(MPO') = ¥{SPR). But, there are more pro- 
grams in Prog(MPO') than in Prog(S'P-R). More importantly, Colson showed, 
see [11], that there is no program in SPR which computes the minimum of 
two integers n and m in inf(n, m) steps. However, _<_ defined in Example 1 
provides such an algorithm. So, Prog(MPO') contains more “good” programs 
than SPR because more algorithmic patterns are allowed. This remark raises 
the question of “intentional completeness” with respect to the class of primitive 
recursion functions. This problems was studied by Peter in her monograph [31] 
by showing that many recursion schema stay within the realm of primitive re- 
cursion. Simmons [34] studied what could be the rationale behind such results. 
A new approach to those questions, is suggested by Cichon and Weiermann in 
[8], and which contains also other references. 

To summarise the discussion above, termination orderings, like MPO' , are a 
starting point for the study of intentional properties of classes of programs and 
the resource bounds for computing a function denoted by such a program. 

4 Ordering and Feasible Computation 

4.1 Data Tiering 

Bellantoni and Cook [3] and Leivant [27] characterised polynomial-time functions 
in syntactic way, unlike characterisations a la Cobham [10] and Ritchie [33]. 
(More information may be found in Clote’s survey [9].) 

Their approaches are based on the predicative analysis of recursion. The 
rationale for this analysis is intuitively explained from the Example 2(2). The 
existence of the function E denoted by exp is demonstrated by an induction on 
natural numbers. At some point of the proof, one has to assume that E(n) is 
defined, in order to show the existence of E{n+ 1). That is, one has to assume 
that the term exp(n) can be reduced to 2“. This reasoning is legitimate as long 
as one does not care about computations and resource bounds. The predicative 
analysis of recursion indicates that this hypothesis is the source of trouble in 
studying feasible computations. For this reason, data ramification, or data tier- 
ing, is introduced to control recursion by assigning to the result of a recursion a 
tier which is strictly lower than the tier of the recursion parameter. Thus, it is 
not possible to use the result of a recursion as a recursion parameter because of 
the tier difference. And so, primitive recursion is tame. 

4.2 Light Multiset Path Ordering 

The term ordering Light multiset path ordering (LMPO) was introduced in [30] 
to encompass a broad class of algorithms delineating polynomial time functions. 
LMPO is a restriction of MPO' based on the predicative analysis of recursion. 
For this, each argument of a function symbol has a valency which predicts its 
intentional use. 

Definition 13. A valency of a function symbol f of arity n is a mapping v{f) : 
{I,--- ,n} 1 -^ {0,1}. 
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The valency of a function symbol f indicates how to compare arguments of f 
with respect to LMPO. Technically, valencies are like the notion of status which 
was suggested by Kamin and Levy [24] . 

Definition 14. Let v be a valency function on the set T of function symbols. 
A permutation tt over {1, • • • , n} respects the valency of f and g if the arity of 
f and g is n and v{gA) = for all i < n. 



Definition 15. Let be as equivalence relation on T . A permutative congru- 
ence « which respects the valency v is the smallest equivalence relation which 
satisfies: 

1. c(si, • • • , Sn) ~ c(ti, • • • , tn) if c G C and Si « U for all i < n. 

2. /(ti, • • • , « 5 (si, • • • , s„) if f g, U « s,r(i) for some permutation tt 

which respects the valency of f and g. 



Definition 16. Let ond be two term orderings. These orderings are lifted 
to an ordering over n-tuples of terms which respects the valency function v on 
T as follows, {si,--- ,s„} {ti,--- ,t„} iff there is a permutation tt which 

respects the valency of f and g and which satisfies the condition that there is 
j < n such that i^{g,j) = 1 and Sj ond for all i < n, Si tTr(i) or 

Si t-n-(i) ■ 



Definition 17. Let be a precedence and it be a valency function on T . The 
light multiset path ordering is a pair {<k)k=o,i of orderings which is recursively 
defined on T{C,T, X) as follows: 



1. 
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) if S 


ii- 






2. 


s Pk /(• 




■) if s 








3. 


c(si, - •• 


7 'Sn) 


fih,' 


’ * * 7 ^m) Si f{^l 7 ‘ ‘ ‘ 


Am), for each i < 


n, Note 




that c can be a 0 


-ary. 








1 


g{si,--- 


1 Sn) 


fih,- 


7^m) Si ^max(fc,n(5,i)) 


fih,--- Am), for 


each i < 




n and if g f. 










5. 


g{si,--- 


j Sn) ^0 


fitlG 


" itn) Z/{S1,*** ,Sn} 


f {h, ■ ■ ■ ,tn}, and 


g-r /• 


Where :<k= 




cGC 


, and f G T. 







Definition 18. A program main is terminating by LMPO if there is a valency 
function v such that for each rule {I ^ r) G E, we have r 1. A LMPO- 
program is a program which terminates by LMPO. 



Example 3. Throughout, we use the following convention to indicate the valency 
of a function argument. The arguments of valency 1 are the first arguments of f 
and the last ones are of valency 0. There are separated by like the normal/safe 
arguments of [3]. 
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1. The following program is terminating using either MPO, MPO' or LMPO 
by setting add Yjr mult. 

add : Nati, Nato Nat and |add](x, y) = x + y 

add(0; y) ^ y 

add(suc(a;); y) suc(add(a:; y)) 
mult : Natl, Natl ~ Nat and |mult](x,y) = x x y 
mult(0, y;) 0 

mult(suc(a:), y; ) ^ add(?/; mult(a;, y; )) 

2. The exponential program given in Example 2(2) is terminating using either 
MPO or MPO' but not with LMPO. Indeed, the second equation will force 
j^(d, 1) = 1 and so the fourth equation cannot be ordered because exp(a;) ^i 
exp(suc(a:)). 

3. Take again the problem of computing the longest common subsequence of 
two words. To write a LMPO-program to solve this problem, we encode 
binary words by the sort word generated by the constructors {e : word, a : 
word word, b : word — > word}. Then, we write the recursive solution of 
the problem. 

max : wordi, Natg, Natp ^ Nat 

max(a:; n, 0) ^ n 
max(a;; 0,m) ^ m 

max(i(a;); suc(n), suc(m)) ^ suc(max(a:; n, m)) iS {a, b| 

Ics : wordi,wordi ^ Nat 

lcs(a;, e; ) ^ 0 
lcs(e,y;) 0 

lcs(i(a:), i(y); ) ^ suc(lcs(a;, y; )) 

lcs(i(a;), j(y); ) ^ max(i(a:); lcs(a;, j(y); ), lcs(i(a;), y; )) i yf j 

The program is ordered by by putting max Yjr Ics. It is worth noting that 
it is necessary that max has an extra argument of valency 1 . The definition is 
unnatural. Similar defect is observable with the insertion sort in Example 1. 
The reason was clearly analysed by Caseiro [7], Hofmann [17] and K. Aehlig 
and H. Schwichtenberg [1]. Data-tiering prevents iteration on a result (i.e. 
on the value lcs(a;, j(y); ) of the example above) previously obtained by 
iteration, even if the function (i.e. max) does not increase the size of the 
output. We remedy this defect in Section 5. 
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4.3 LMPO-Interpreter 

Definition 19. A sort s G S is simple if for each constructor c G C of type 
(si,--- , s„) — > s, the sort s appears at most once in (si,--- ,s„). A LMPO- 
program over a simple constructor signature is a LMPO-program in which each 
sort is simple. 

The sorts bool, Nat, and List(a) where a is simple, are simple. The sort of 
binary trees is not simple. 

Theorem 1. Each LMPO-program over a simple constructor signature is com- 
putable in polynomial time, and conversely each polynomial time function is 
computed by a LMPO-program over a simple constructor signature. 

Proof (Sketch of proof). The detailed proof can be found in [30]. The second 
implication is proved by programming each function of the class B of Bellantoni 
and Cook [3], by merely identifying safe (normal) arguments with arguments of 
valency 1 (resp. 0). 

Conversely, a LMPO-program is evaluated by call- by- value interpreter with a 
cache memory. Whenever the interpreter wants the value of a call f (ti, • • • , t„), 
it looks first in the cache. If ,t„) is not in the cache, then it com- 

putes f(ti, • • • ,t„) and stores the result in the cache, so that the next call to 
f(^i) • ■ ■ An) will be in the cache. The algorithm of the interpreter is presented 
in Figure 1. 

The time-bound of the interpreter is obtained by establishing that the number 
of recursive calls is bounded by a polynomial in the height of the inputs. Since 
inputs are of simple sorts, the size of an input is at most quadratic in the height. 
Consequently, the run-time of the interpreter is bounded by a polynomial in the 
size of the inputs. 

It is necessary to memorise intermediate values because the length of a deriva- 
tion can be exponential. Indeed, the length of a derivation of Ics, in Exam- 
ple 3(3), is exponential. Consequently, the interpreter can transform a program 
into an exponentially faster one. 



5 Quasi-Interpretation and MPO' 

5.1 Polynomial Quasi-Interpretation 

Definition 20. Let f G P[JC be either a function symbol or a constructor of 
arity n. A quasi-interpretation of f is a mapping {/} : IM” ^ IM which satisfies 

1. {/} is (non- strictly) increasing with respect to each argument. 

2. {/}(Xi, • • • , Xn) > Xi, for each 1 < i < n. 

3. {c} > 0 for each 0-ary symbol c. 

We extend a quasi interpretation {•} to terms as follows : 

{f(ti,--- ,tn)} = {f}({ti},--- ,{t„}) 
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cr(a;) = V 

e,ah (C,x) (C,v) 

cGC £,a h (Ci-i,ti) ^ (Ci,Vi) 

£,a h (Co, c(tl,- ■ ■ ,t„)) (Cn, c(vi,- ■ ■ ,v„)} 

£,a^ (Ci-\,u) ^ (Ci,Vi) (t(vi,- ■ ■ ,Vn),v) £ Cn 
(Co,f(tl, ■ ■ ■ , tn)) (Cn,v) 

£,a \- (Ci-i,ti) ^ (Ci,Vi) t(p) ^ r £ £ pia' = Vi £,a' \- (Cn,r) ^ (C,v) 
£,(j\- (Co,f(tl, ■ ■ ■ , tn)) ^ (C U (f (ui, • • • , Vn),v),v) 

Fig. 1. Call by value LMPO-interpreter with a cache. 

Given a set of equations £ and a ground substitution <j, t^v using the cache C and 
obtaining the cache C' is written: 

£,a£ (C,t) (C',v) 

f,0 h (0, f (ti, • • • ,tn)) (C,v) means that [f](ti, • • • ,tn) = v 



Definition 21. {•} is a quasi-interpretation of a program main if for each rule 
I ^ r £ £ and for each constructor substitution a, {rcr} < {Icr}. 

Definition 22. A program main admits a polynomial quasi interpretation {•}, 
*/ {•} ts hounded by a polynomial and each constructor c £ C is interpreted by 
{c}(Xi, • • • ,X„) = Xi + a where a > 0. 

Clearly, a quasi-interpretation is not sufficient to assure the termination 
of a program. For example, take the rule f(a:) ^ f(a:) which has a quasi- 
interpretation but does not terminate. It is worth noting that a quasi-inter- 
pretation does not bound the size of terms involved in a derivation. 

Remark 1. Termination proofs by polynomial interpretations were proposed by 
Lankford [25]. Termination is assured by requiring that {•} is strictly increas- 
ing and also that for each rule, {ra} < {la}. Bonfante, Cichon, Marion and 
Touzet in [6] established that the complexity of functions computed by pro- 
grams admitting a polynomial interpretation termination proof, depends on 
constructor interpretations. In particular, when constructors are interpreted by 
{c}(Xi, • • • ,Xn) = Xi -£ a (as we do), the functions computed by such 

systems are exactly the functions computed in polynomial-time. 

Let us end with a Lemma which we shall use later on. 
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Lemma 1. Let t and s be two constructor terms ofT{C). Ift^kS then {t} < 
{s}, for k = 0,1. 

Proof. By induction on the size of s. 

5.2 Main Result 

Definition 23. The class of functions ¥P°’-y{MPO') is the class of functions 
computed by a program which terminates by MPO' and admits a polynomial 
quasi-interpretation. 

Theorem 2. The class {M PO') is exactly the class of functions computed 

in polynomial-time. 

Proof. In [3] , Bellantoni and Cook demonstrated that the class of B functions is 
exactly the class of polynomial time functions. It is easy to see that each function 
of the class B is ordered by MPO' . Then, Lemma 4.1 of [3] provides a quasi- 
interpretation. It follows that each polynomial time function is in FP°^y (MPO'). 

Conversely, each program is executed by the LMPO-interpreter described in 
Figure 1. Let us give an informal account on how to establish that the runtime 
is polynomially bounded. We lift each source program main to a program ]mair\ 
which is ordered by LMPO. Intuitively, the lifting mapping (•I' is akin to a 
polynomial reduction from M P O' -programs to LMPO-programs. Each rule of 
the program '|maz7if has two new arguments. The first argument plays the role 
of a virtual clock. The second one is a copy of the initial setting of the clock. 
The semantics of the source program main is preserved only if the virtual clock 
is set to a value greater than the quasi-interpretation. We see that if the quasi- 
interpretation is bounded by a polynomial, then the runtime of the execution of 
main is also polynomial by Theorem 1. The details of the proof are in Section 6. 

Example 4- 

1. Consider again the problem which computes the longest subsequence be- 
tween two words. The rules, given in the introduction, which defined Ics are 
ordered by MPO' and possess the following polynomial quasi-interpretation: 
{0} = {e} = 1, {suc}(X) = {a}(X) = {b}(X) = X + 1, {max}(X,T) = 
max(X, y), {lcs}(X, y) = max(y, y). So, this program is evaluated in 
polynomial time. Finally, notice also that Ics-rules have no polynomial in- 
terpretation. 

2. The insertion sort in Example 1 terminates by MPO' and admits the fol- 
lowing polynomial quasi-interpretation : 

{tt} = {ff} = {nil} = {0} = 1 

|suc}(X) = |cons}(y) = y -I- 1 

{if _then_else}(y, Y, Z) = max(y, Y, Z) 

{.<_}(y, y) = max(y,y) 

{insert}(y, Y) = X -\- Y -\- 1 
{sortj(y) = X 
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Notice that LMPO is not able to order the rules of the insertion sort, because 
of the data-tiering. 

3. The definition of the exponential in Example 2(2) has no polynomial quasi- 
interpretation, because {d}(X) = 2 x X and, we obtain the inequality 
{exp}(YT -I- c) > 2 X {exp}(X) whose solution is exponential. 

6 Runtime Analysis 

Without loss of generality, we assume that each program contains the sort Nat. 



6.1 Program Lifting 

Let be a precedence over X. We define a lift mapping (•I' which transforms 
each program main = (X,C,iF,S) into a program ynair^ = {\X\,C,\T\,\E\) 
where 



— ]X\ = X U {X,Y} where X and Y are two variables which are not in X, 

— The set of function symbols \T\ consists of a new symbol f' of arity n -I- 2, 
for each symbol f & P oi arity n > 0. 

— The set of rules \S \ contains a rule 



f'(suc(X),Y;pi,--- ,p„) ^ 



for each rule f (pi, • • • ,p„) ^ s of £ and is defined below. 



The lift mapping \*\^xy terms is defined as follows: 



~ \x\^x Y — ^ for all X G X. 

~ 1c(tl, • • • )tm)\Sc,Y ~ oOti • 

- lg(^l,--- ,in)\Sc^Y = 



■ ■ ,]tm\x,Y) if C G C. 

X,F> ' ' ' ^ fx.F ), if g f 
X,F> ■ ■ ■ J V^n.\^X,Y)^ if S f 



Proposition 2. Let main he a M PO' -program, \mair{ is a LM PO-program. 

Proof. We define the valency function i/ over \P\ by v{i' , 1) = v{i' , 2) = 1 and 

v{f' , 3 -I- z) = 0, z < n, for each symbol f G .F of arity zz > 0. 

Now, consider a rule t = f(pi, • • • ,p„) ^ s of £. We show that if s ^mpo' t 
then ,Y ^0 f^(suc(X), Y;pi, • • • ,pn) = T. The proof goes by induction on 
the size of the right hand side term s. 

If s = c(zzi,--- ,Um), c G C, then = c(1zzi |'5f,Y, • ’ ’ ,'\um\x,Y)- By the 

MPO' definition, Ui ^mpo' t for each 1 < z < m. So, by induction hypothesis, 
]ui\^x Y ^0 T. So, by definition of LMPO (rule 3), Isfl- y T. 

If s = g(zzi,--- ,Um), where g G P and g then we have Isf^cY = 

gf{Y,Y]]ui\^XYG" AumlxY)- MPO' definition, m ~<mpo' t for each 

I < z < TO. So, by induction hypothesis, ]ui\xY T. We have Y T. It 
follows by definition of LMPO (rule 4) that Isfl- y T. 
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If s = ,Un), where g G T and g f, then we have = 

g^{X,Y',]u\\^XYG " Aunlxy)- definition of MPO’, there exists a permuta- 
tion 7T such that Ui :<mpo' P-k(i) for each 1 < t < n. Since UiS and piS are terms 
of T(T(C,A’)), we have — o Next, we have X suc(X). The 

definition of LMPO (rule 5) gives: y T. 

Since each rule of main is ordered by MPO' , we have shown that each rule 
of is ordered by LMPO, which leads to the conclusion. 



6.2 Quasi-Interpretations are Virtual Clocks 

We define as the inverse of the term lifting 1»|'5c y follows. 

- \x[ = X \i X G X . 

- Jc(ti, • • • ,tn)[ = c(Jtit, • • • , Jt„L) if c G C. 

- • • ,tn) [ = • • • , Jt„L) if f G 

We see that J 

Lemma 2. Let main = {X ,C,T ,£) be a M PO' -program which admits a quasi- 
interpretation {•}. Let d be the greatest arity of a function symbol in main. Let 
t be a ground term of T{C,]P\). 

Suppose that for each subterm / (hi, h 2 ; ti, • • • ,t„) oft, 
we have (i) hi > h 2 > d x {/(JtiL, • • • , 

If \t[ u then there exists a term v such that 

1. Jut = u and t ^ v. 

2. For each subterm /(h/ h' 2 ; ui, • • • ,Vm) ofv, 

we have (i) h'l > and (ii) h '2 > d x {/Ju/, ••• 

Proof. Jt|. ^ u means that there are a rule e = f(pi,--- ,p„) —^rin£, 
a subterm f(Jti[,, ••• of Jt|. and a constructor substitution a such that 

f(JflL, JfnL) = f(pi,--- ,Pu)cr and M = JtL[rcr/f(Jtit,--- ,Jt„L)]. 

The rule e is lifted to 1e( = f'(suc(V), F; pi, • • • ,p„) ^ l^’I'x^y. There 
are hi, and h 2 such that Jf'(hi, h 2 ; ti, • • • ,t„)( = f(Jtit, ••• We have 

hi > 0 because quasi-interpretations are always strictly positive. It follows that 
there is a constructor substitution cr' which extends ct and such that cr'(V) = 
hi — 1 and cr'(F) = h 2 . Therefore, we apply ]el to t and we obtain v = 
/1^l'x,y'^Vf'(hi7h2;ti,- • • ,t„)]. We get \v[ = u. 

It remains to establish (2). Take a subterm g'(h/ h' 2 ; ui, • • • ,Vm) of v. If 
this subterm remains as it was before the reduction step, then (2) is satisfied. 
Otherwise, it is a subterm of (1r|'5c y)cr', and we have h '2 = cr'(F) = h 2 . 

Because the quasi-interpretation is increasing and the Lemma assumptions, 

h '2 = h 2 >dx {f(JtiL, • • • >dx {g(Juil, - •• ,JUmL)} 



So the condition (ii) is satisfied. 
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Next, if g f, we have h'j^ = <j'{Y) = h. 2 - The condition (2) on the 
definition of a quasi-interpretation enforces 

m 

h\ = h2 = dx 

i=l 

Lastly, if g f then h'l = hi — 1. Since the rule e is ordered by MPO', 
there is a permutation tt such that: 

- for all 1 < i < n, u* ^mpo' 4(*)- 
~ There exists a j such that Vj ^mpo' 

By Lemma 1, {Ju*L} < {Jt,r(i)L} for all 1 < z < n and {Jujt} < {Jt,r(i)L}- So we 
have, h\ = hi-l> Yh^i{\U[} - 1 > So (i) is proved. 

Proposition 3. Let main he a M PO' -program which admits a quasi interpre- 
tation and letti,--- , be constructor terms ofT{C). Let d he the greatest arity 
of a function symbol in T . 

Suppose that mainfti, • • • , 

Let main! he the main symbol of]maiif. If h > dx {mainfti, ■ ■ ■ ,tn)}, we 
have main'(h, h; fi, • • • ,tn)^s 

Proof. By induction on the length of the derivation, using the above Lemma 2. 



Theorem 3. Let main be a M PO' -program which admits a polynomial quasi- 
interpretation. The function |main] is computed in polynomial time in the size 
of the inputs. 

Proof. The computation of [main] on inputs , • • • , tn is performed by evaluat- 
ing main with the LMPO-interpreter described in Figure 1. The computation 
runtime is at least as efficient as the evaluation of main'(h, h; ti, • • • , which 
is defined by the lifted program 'Imazzif and where h = dx {main(ti,--- ,t„)}. 
Let <7 be a polynomial which bounds the quasi-interpretation {main}. So, the 
size of h is bounded by q{c x max^J” |ti|) for some constant c which depends 
on constructor interpretations. Following Theorem 1, the runtime of main' is 
bounded by a polynomial p, in the maximal size of the argument. We conclude, 
that the runtime of main'(h, h; ti, • • • , t„) is bounded by p{q{c x max*=” |ti|))- 
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Abstract. The ZETA system is a Z-based tool environment for devel- 
oping formal specifications. It contains a component for executing the Z 
language based on the implementation technique of eoncurrent constraint 
resolution. In this paper, we present a case-study for the environment, 
by providing an executable encoding of temporal interval logics in the Z 
language. As an application of this setting, test-case evaluation of trace- 
producing systems on the base of a formal requirements specifications is 
envisaged. 



1 Introduction 

The ZETA system [3] is a tool environment for developing formal specifications 
based on the Z notation [12]. It contains a component for executing the Z lan- 
guage, using a computation model of concurrent constraint resolution, described 
in [6]. A wide range of Z’s logic can be executed within this approach, integrating 
the power of higher-order functional and logic computation. 

In this paper, we present a case study of the system. We develop an executable 
encoding of discrete temporal interval logics (in the style of Moszkowski’s logic, 
[9]), and illustrate it by animation in the ZETA system. The example demon- 
strates the interplay of logical search and of higher-orderness, the last one allow- 
ing us to build abstractions by passing predicates (generally represented as sets 
in Z) to functions and storing them in data values. 

As an application of our encoding of temporal logics we briefly look at test- 
case evaluation for safety-critical embedded systems. Given a formal require- 
ments specification which uses temporal logics, some input data describing a 
test case, and the output data from a run of the system’s implementation on the 
given input, we check by executing the specification whether the implementation 
meets its requirements. This application stems from the context of a research 
project funded by Daimler-Ghrysler. 

This paper is organized as follows. In Sec. 2, we introduce the basic features of 
executing Z in the ZETA system. In Sec. 3 we develop the encoding of temporal 
logics, and describe the application to test-case evaluation, where we use the 
example of an elevator controller. In Sec. 4 we give a conclusion, discussing the 
results and related work. 



M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 43—53, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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Fig. 1 ZETA’s Graphical User Interface After Executing an Expression 




2 Executing Z under ZETA 

In [5,6] a computation model based on concurrent constraint resolution has been 
developed for Z. A high-performance virtual machine has been derived, which is 
implemented as a component of the ZETA system. In this implementation, all 
idioms of Z which are related to functional and logic programming languages are 
executable. Below, we look at some examples to illustrate the basic features. We 
assume some knowledge of Z (see e.g. [12]; the Z implemented by ZETA actually 
confirms to the forthcoming Z ISO Standard [16], which, however, does not make 
a significant difference in our application) . 

As sets are paradigmatic for the specification level of Z, they are for the 
execution level. Set objects - relations or functions - are eventually defined 
by (recursive) equations, as in the following example, where we define natural 
numbers as a free type, addition on these numbers and an order relation: 

N S{{{x : A})) I three == S{S{S Z)) 

add : P((A x N) x N) 

add = {y : N • {Z , y) y} U {x, y, z : N \ {x,y) ^ z & add • {S x,y) ^ S z} 
I _ less _ == {x, y : N \ {3t : N • {x, S t) y G add)} 

A few remarks on the syntax. With ::= a free type is introduced in Z. The 
declaration form n == E declares and defines a (non-recursive) name simul- 
taneously. The form x ^ y is just an alternative notation for {x,y). A set- 
comprehension inZ,{x: T \ P • E}, describes the values E such that P holds 
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for the possible assignments of x] if the • is omitted (as in the definition for 
less, where the • actually belongs to the existential quantor), the set of tu- 
ples of the assignments to the variables in the declaration part is denoted (thus 
{x,y. T \ P} = {x,y. T \ P • (a;,y)}). 

We may now execute under ZETA queries such as the following, where we 
ask for the pair of sets less and greater than three: 

{{x : I a; less three}, {x : N \ three less x}) 

^ ({Z,S(Z),S(S(Z))},{S(S(S(S(t~))))» 

The query as it is entered into the ZETA GUI is visualized in Fig. 1. In the 
sequel, however, we will use a conceptual notation as above. 

As the result of the query, we get the pair of the numbers less than and 
greater than three, where the second value of the resulting pair is a singleton set 
containing the free variable t~ (the ~ results from internal variable renaming). 
These capabilities are obviously similar to logic programming. In fact, we can give 
a translation from any clause-based system to a system of recursive set-equations 
in the style given for add, where we collect all clauses for the same relational 
symbol into a union of set-comprehensions, and map literals R{ei, . . . , e„) to 
membership tests (ei, . . . , e„) G R. 

The functional paradigm comes into play as follows. A binary relation R can 
be applied, written as Re, which is syntactic sugar for the expression p,y : X \ 
(e,y) G R. This expression is defined iff their exists a unique y such that the 
constraint is satisfied; it then delivers this y. The set add is a binary relation 
(since it is member of the set P((AxA)xA)), and therefore we can for example 
evaluate add{three, three) ^ S(S(S(S(S(S(Z)))))). 

Note the semantic difference oi {e,y) € R and y = Re: the first is not 
satisfied if R is not defined at e, or produces several solutions for y ii R \s not 
unique at e, whereas the second is undefined in these cases. This difference is 
resembled in the implementation: application, ^-expressions, and related forms 
are realized by encapsulated search. During encapsulated search, free variables 
from the enclosing context are not allowed to be bound. A constraint requiring 
a value for such variables residuates until the context binds the variable. As a 
consequence, if we had defined the recursive path of add as {x,y, z : N \ z = 
add{x,y) • {S x,y) i-^- 5 z} (instead of using {x,y) ^ z G add), backwards 
computation is not be possible: 

{x : N \ X less three} 

^ unresolved constraints: 

LTX;cpinz(48.24-48.31) waiting for variable x 

Here, the encapsulated search for add{x,y), solving fiz : N \ {{x,y),z) G add, 
cannot continue, since it is not allowed to produce bindings for the context 
variables x and y. 

The elegance of the functional paradigm comes from the fact that functions 
are first-class citizens. In our implementation of execution for Z, sets are first- 
class citizens as well. For example, we define a function describing relational 
image as follows: 
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== Ai? : P(X X y); S : P X • {x : X; y. Y \ x £ S; {x,y) £ R • y} 



A query for the relational image of the add function over the cartesian product 
of the numbers less then three yields in: 

let ns == {x : A I (x, three) £ less} • addl\ns x ns|) 

^ {Z,S(Z),S(S(Z)),S(S(S(Z))),S(S(S(S(Z))))> 

Universal quantification is executable if it deals with finite ranges. For exam- 
ple, we can define the operator denoting the set of partial functions in Z, A -i-> B, 
as follows: 

== {R : P(A xY)\{yx\ X\x£ dom R • 3^y : Y • (x,y) £ R)} 



Universal and unique existential quantification are resolved by enumeration. 
Thus, if we try to check whether add is a partial function, we get in a few 
seconds: 

add £ N x X — X 

^ still searching after 200000 steps 
gc #1 reclaimed 28674k of 32770k 

In enumerating the domain of add our computation diverges. However, if we 
restrict add to a finite domain it works: 

3, ns == {x : X \ (x, three) £ less} • ((ns x ns) < add £ X x X -i-> X) 

^ *true* 

Above, A <i R restricts the domain of R to the set A; the existential quantor is 
used to introduce a local name in the predicate. 

3 Encoding of Temporal Interval Logics 

Temporal interval logics [9,4] is a powerful tool for describing requirements on 
traces of the behavior of real-time systems. For a discrete version of this logic, 
related to Moszkowski’s version of ITL, an embedding into Z has been described 
in [2] . Here, we develop an executable shallow encoding for the positive subset of 
this kind of ITL. The encoding supports resolution for timing and observation 
constraints (going behind Moszkowski’s Tempura implementation), demonstrat- 
ing some of the capabilities of Executable Z in the ZETA system. 

3.1 The Encoding 

We define temporal formulas generic over a state type A, such that the behav- 
iors we look at have type seq A (seq_ is Z’s type constructor for sequences). A 
predicate over a state binding is a unary relation, p £ SP[S] = P A: 
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sp[s] == pr 

A temporal formula is encoded by a set of so-called arcs, w € TF[S] = 
VARC[S]^, which basically model a transition relation. An arc is either a proper 
transition, tr{p,w), where p is the guard for this transition and w a followup 
formula, or the special arc eot which indicates that an interval which satisfies 
this formula may end at this point: 

TF[S] == VARC[S] ARC[S] ::= eot \ tr{{SP[S] x TF[S])) 

xs €t w is the satisfaction relation of this encoding of temporal formulas, 
and is defined as follows: 

-Gt seq A <— > TF[S] 

{- £t -) = {w : TF[S] \ eot e w • ((), w)}U 

{x : S; xs : seqA; p : SP[S]; w,w' : TF[S] \ 

tr{p, w') Gw; x G p; xs Gt w' • {{x) " xs, w)} 



Thus, if eot is an arc of the transition relation, then the empty interval is valid. 
Moreover, all intervals are valid such that their exists a transition whose pred- 
icate fulfills the head of the interval, and the tail of the interval satisfies the 
followup formula of this transition. 

We know define the operators of our logic, which construct values of type 
TF[E], The formula which is satisfied exactly by the empty trace is encoded 
by the singleton transition containing the eot arc. The formula | P lifts a state 
predicate p to an interval formula which holds exactly for those intervals of 
length 1 containing a state which satisfies p: 

=[^] = ^ 
empty == {eof[A]} | == A p : 5'P[A] • {tr(p, empty)} 



Next we look at disjunction, wi U W 2 , and its generalized form. Disjunction 
is realized by simply mapping it to the union of the arc sets of both formulas: 



_ U _ == Xwi,W2 



TF[S] • wi U W2 



A]= 



y == Aws : P TF[Sj • |J 



ws 



^ We use the powerset-constructor P which models a computable powerset domain. 
Using the general power, P, our free type definition of ARC would be inconsistent 
in Z, since a free type’s constructor cannot have a general powerset of the type in 
its domain. 
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Beware that the generalized disjunction operator can be used for introducing 
“local variables”, as on |J{a; : T • TF[x]}. 

Conjunction, wir\w2, constructs new arcs by pairwise combination of all arcs 
of wi and W2 - the conjunction is recursively “pushed” through these combina- 
tions: 



_n . : TF[E] X TF[E] TF[E] 

(_n _) = Xwi,iV 2 : TF[E] • 

(if eot G wi A eot G W2 then empty else 0) U 
{pi,P2-.SP[E]; w[,w!2: TF[E] 

I tr{pi,w[) G wi; tr{p2, w'^) G W2 • tr{pi C p 2 , w[ □ w'^)} 



w\ 9 W2 is sequential composition (“chop”). The followup-formula W2 is re- 
cursively pushed through the arcs of w\ until eot is reached: 

. I . : TF[E] X TF[E] TF[E] 

(_!_) = \ wi,W2 : TF[E]u 
(if eot G wi then W 2 else 0) U 

{p : SP[E]] w[ : TF[E] \ tr{p,w[) G wi • tr{p,w[ | VJ 2 )} 



w* is the repetition of w for zero or more times, w~^ for one or more times. 
In the definition of _* , we need to embed the recursive reference to _* in a 
set-comprehension, since our implementation of Z imposes a strict (eager) eval- 
uation order. The formula skip holds for arbitrary singleton intervals. Temporal 
truthness, satisfied by any interval, is the repetition of skip. Temporal falsity is 
described by the empty set of arcs: 





.* : TF[E] TF[E] 

(_*) = Xw : TF[E] • empty U ((w \ empty) , {a : ARC[E] \ o G w*}) 



^]= 



+ ==Xw: TF[E] • w^,w* 



E]= 



skip == I E 



E]= 



true == skip[T']* 



^]= 



false == 0[ARC[E]] 



We animate the encoding of some formulas. Suppose type E is instantiated 
with Z. Recall that our observation predicates are sets, hence we can use e.g. { 1 } 
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as a predicate which is exactly true for the state value 1: 

t{l} I empty | t{2} 9 empty ^ {tr({l},{tr({2},{eot})})} 

T{1}* ^ {eot,tr({l},{eot,tr({l}, ...)})} 

T{2,3r n (T{1,2} I t{3,4}) ^ {tr({2},{tr({3},{eot})})} 

The first example shows neutrality of empty on chop. The next example illus- 
trates how the repetition operator incrementally “unrolls” its operand (the ZETA 
displayer has stopped unrolling after a certain depth). In the last example, the 
effect of conjunction is shown. 

Using the satisfaction relation t Gt w, we can now test whether a trace t 
fulfills a formula w and ~ provided the state predicates are finite - also generate 
the set of traces which satisfy a formula. Here are some examples 

(1,2,3, 1,2, 1) Gt (true | "({ 2 ; : Z \ x > 2}+)* ^ *false* 

(2, 2, 2, 1, 2, 2) Gt (true ^ '\{x : Z \ x > 2}+)* ^ *true* 

{t:seqZ I tGr T{1,2}+} ^ {<1> , <2> , <1 , 1> , <1 , 2> , . . . } 

In the first two examples above, the formula states that the interval must be 
partitionable into zero or more sub-interval such that in each sub-interval, from 
some point only numbers greater or equal two appear. This is not satisfied by the 
first trace, but by the second, choosing the right partitioning. The third example 
shows the generation of traces. 

Our encoding allows the use of free variables in state predicates. For example, 
we can define a formula which is satisfied by all traces which contain adjacent 
values. The variable can be existential quantified, or as in the example below, 
bound by a set comprehension to enumerate its possible bindings: 

{x :Z\ (4, 1, 1,3, 2, 2) Gt true | 9 Tja:} 9 true} ^ {1,2} 

We will use this feature in the next section in order to introduce timing con- 
straints. 



3.2 Timing Constraints 

Due to the higher-orderness of Z and our implementation, it is easily possible to 
add new temporal operators. Suppose that our state type S contains a duration 
stamp describing the time distance to the next observation^, and that this stamp 
is selected by the function getd : S — > T. We then can define a duration operator 
DUR{getd, d) which holds for those intervals whose duration is d^: 

T==Z 

^ Currently, in our implementation of Z only integral numbers are supported - hence 
we define time as integral numbers. 

® Beware that we do not support an “overlapping chop”; therefore intervals which 
limits fall between two data samples of the given behavior are never considered. 
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DUR : (i7 ^ T) X r ^ TF[S] 

DUR = X getd : S — > T; d :T • 

1J{(T : S I getd a = d • T{'^}} U 

1J{(T : S; d' \T \ d = getd a + d' • ] {a} 9 DUR{getd, d')} 



This definition makes use of the “generalized disjunction” for temporal for- 
mulas, IJ (see 3.1), to introduce local variables cr and d' . In general, the set- 
comprehension {x : T \ P • w}, where w is a temporal formula, denotes the set 
of all formulas for instances of x which satisfy P. Since a temporal formula is 
a set of arcs, the generalized disjunction simply collects all arcs from all formu- 
las, by its definition U = U- The name IJ is in turn defined in the Z standard 
library as (J b'5' = {z : X; 5 : PX | 5 G SS] x € S • x}. Our implementation 
enumerates the solutions to S & SS symbolically; henceforth IJ also works if SS 
is not finite, as in the definition of DUR. 

In the definition of DUR{getd, d) two cases are distinguished. Either the 
interval contains exactly one state with duration d, or d is the result of adding 
getd a of the heading state and d' for the remaining states. 

As an example, we calculate the partitions of an interval with equal dura- 
tion, using repetition on the duration operator (where our state contains only 
durations, and the identity function id selects them): 



{d : r I (1,1, 2,2, 2) Gt DUR{\d,d)*} 

^ {2,4,8} 

Note that the partitionings are not of equal length regarding the number of 
states in an interval. For the duration 2, we use (1, 1) and the remaining three 
(2) partitions. For the duration 4, we have (1,1,2) and (2,2). For duration 8, 
one partition containing all states is recognized. 



3.3 Application 

Fig. 2 gives a very simplified example how to apply our temporal logics for 
requirements specification. The specification defines some aspects of the behavior 
of a (much simplified) elevator controller. The elevator’s state is modeled by a 
set of sensors which are combined with a duration stamp into the system state 
STATE. The sensors are the current position of the elevator and two sets which 
represent the state of doors at each floor and of request buttons. Floors are 
modeled as a subset of positions. 
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Fig. 2 Elevator Requirements 



POS=^N I FLOOR == {0,20,40,60,80} 

delay == 15 



STATE 

dur : T; pos : POS; open, request : P FLOOR 



getd == Act : STATE • a. dur 

Safety == '{[STATE \ V/ : FLOOR \ f £ open • pos = /]* 

Serve == Xf : FLOOR* 

'[[STATE I / ^ request] U 
{'[[STATE I / G request f\ f ^ pos]^ , 

IJjd \ T [ d < delay • '[[STATE [ f = pos]* □ DUR{getd, (i)} 9 
'[[STATE I / G open]~^) 

Liveness == Serve{0)* □ 56^6(20)* □ Serve{40)* □ Serve{60)* □ Serve{80)* 



Reqs == Safety □ Liveness 



Our requirements are composed from the conjunction of sub-requirements: 

— Saftey: a door must be only open if the elevator is at the floor of the door. 

— Serve: describing the service requirements for a given floor /: Either the floor 
is not requested, or - if the elevator is requested at this floor ~ the elevator 
can be anywhere else. But as soon as it reaches the floor, it must stop there 
and open the door at least after delay seconds. (The specification does not 
handle error situations, where the elevator does not work for some reason.) 

— Liveness: is simply the conjunction of all service requirements for all floors. 

Such a specification can now be used for test-evaluation, feeding it with the 
concrete traces produced by an implementation of the controller. For example, 
let some test traces (parameterized over a duration stamp) be defined as follows: 

ti == Xd:T • {\dur == d,pos == 0, open == 0, request == {20}^, 

\dur == d,pos == 20, open == 0, request == {20}^, 

\dur == d,pos == 20, open == {20}, request == 0)) 

t 2 == Xd :T • {\dur == d,pos == 0, open == 0[Z], request == {20}^, 

\dur == d, pos == 20, open == 0, request == {20}^, 

\dur == d,pos == 40, open == 0, request == {20}^) 

Here are some evaluation results: 

10 Gt Reqs ^ *true*; 40 Gt Reqs ^ *false*; t2 10 Gt Reqs ^ *false* 

In the second case, the elevator stopped at the requested floor but did not opened 
the door in time. In the third case, the elevator passed a requested floor without 
stopping. 
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The performance of test-evaluation highly depends on the kind of specifica- 
tion. For the above specification we check traces of around thousand elements 
in approx. 30 seconds. However, it is possible to formulate specifications which 
are intractable to execution since deep backtracking is required to recognize 
traces. These specifications involve constructs such as (true , decisiorii) U (true , 
decision2 ) . 

4 Conclusion and Related Work 

We have presented a case study of the ZETA system, a practical, working setting 
for developing specifications based on the Z language, which allows for executing 
a subset of Z based on concurrent constraint resolution. The example of encoding 
temporal interval logics showed that higher-orderness is a key feature for an 
environment where we can add new abstractions and notations in a convenient 
and consistent way: in that temporal formulas are first-class citizens, we could 
define the operators of the logic as functions over formulas. Below, we discuss 
some further aspects. 

Animating Z. Animation of the “imperative” part of Z is provided by the ZANS 
tool [8], imperative meaning Z’s specification style for sequential systems using 
state transition schemas. This approach is highly restricted. An elaborated func- 
tional approach for executing Z has been described in [13], though no implemen- 
tation exists today, and logic resolution is not employed. Other approaches are 
based on a mapping to Prolog (e.g. [14,15]), but do not support higher-orderness. 
The approach presented in this paper goes beyond all the others, since it allows 
the combination of the functional and logic aspects of Z in a higher-order setting. 

Functional and Logic Programming Languages. There is a close relationship of 
our setting to functional logic languages such as Curry [7] or Oz [11]: in these 
languages it is possible to write functions which return constraints, enabling 
abstractions as have been used in this paper. However, our setting provides a 
tighter integration and has a richer predicate language as f.i. Curry, including 
negation and universal quantification which are treated by encapsulated search. 
The role of a function as a special kind of relation as a special kind of set, and 
of application e e' just as an abbreviation for p,y \ (e', y) G e, makes this tight 
integration possible. 

Integrating Specific Resolution Techniques. Currently, our implementation is not 
very ambitious regarding the basic employed resolution techniques. Central to 
the computation model is not the basic solver technology (which is currently 
mere term unification) but the management of abstractions of constraints via 
sets. However, the integration of specialized solvers for arithmetic, interval and 
temporal constraints is required for our application to test-evaluation. The ex- 
tension of the model to an architecture of cooperating basic solvers is therefore 
subject of future work. 
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Abstract. We investigate regular algebras, admitting infinitary regu- 
lar terms interpreted as least upper bounds of suitable approximation 
chains. The main result of this paper is an adaptation of the concept 
of behavioural constructor implementation, studied widely e.g. for stan- 
dard algebras, to the setting of regular algebras. We formulate moreover 
a condition that makes proof of correctness of an implementation step 
tractable. In particular, we indicate when it is sufficient to consider only 
finitary observational contexts in the proofs of behavioural properties of 
regular algebras. 



Keywords: Algebraic specifications, observational equivalence, regular algebras, be- 
havioural constructor implementation, proofs of behavioural properties. 



Introduction 

Behavioural semantics of algebraic specifications is widely accepted to capture 
properly the ’’black box” character of data abstraction. As a nontrivial example 
of an algebraic framework where behavioural ideas may be applied, we consider 
regular algebras, differing from the standard algebras in one respect: they allow 
one to additionally model ’’infinite” datatypes, like streams. Regular algebras 
were introduced in [16], and then studied e.g. in [17,6]. Our starting point here 
is a more recent paper [4], investigating observational equivalence of regular al- 
gebras and the induced behavioural semantics of specification. Regular algebras 
contain properly continuous algebras [15], intended usually to model ’’infinite” 
datatypes. Unfortunately continuous algebras are not well suited for behavioural 
semantics of specification, as they lack some crucial algebraic properties, e.g. quo- 
tients of continuous algebras do not compose (cf. [5]). 

The subject of this paper is to analyze the applicability of regular algebras 
as models of behavioural specifications in the process of stepwise development 
of software systems. A general methodology is proposed for regular algebras, 
as an adaptation of the constructor behavioural implementation [12,13]. To our 
knowledge the constructor implementation has not been studied in this setting so 

* The work reported here was partially supported by the KBN grant 8 TllC 019 19. 



M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 54-69, 2000. 
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far. Whereas regular algebras require a separate treatment, since their structure 
differs substantially from standard algebras: they have partially ordered carrier 
sets and all term-definable mappings have fixed points, given by the least upper 
bounds of appropriate approximation chains. 

This paper reports briefly contents of Chapter 5 of [9]. After preliminary 
Section 1 introducing regular algebras, observational equivalence and constructor 
implementation, in Section 2 we explain how to combine, roughly, regular and 
standard algebras. We extend the setting of regular algebras with a possibility to 
have carriers of some sorts essentially unordered (these sorts are called algebraic), 
which is strongly required in practical examples. 

In Section 3 we prove that observational indistinguishability in a regular 
algebra is induced by only finitary observable contexts - surprisingly, even when 
non-trivial approximation chains exist in carrier sets of observable sorts. This 
makes proofs of behavioural properties of regular algebras substantially easier, 
and allows one to exploit methods known for standard algebras, like context 
induction [7] or results of [1,2]. Moreover, when all observable sorts are algebraic, 
the notion of observational equivalence can be characterized by only finitary 
contexts too. Hence one can prove equivalence of regular algebras e.g. using 
standard observational correspondences [14]. 

Finally, in Sections 4 and 5 we propose an adaptation of behavioural con- 
structor implementation methodology [12,13] to the new framework. Initially, 
our main motivation was to enable finitary implementations of infinitary reg- 
ular data structures. To this aim we introduce a method, called /r-induction, 
for defining fixed-points of recursors. This gives rise, at an intermediate step 
in constructor implementation, to pre-regular algebras, defined as algebras of a 
syntactical monad. Next we investigate proofs of correctness of such an imple- 
mentation step. A property is formulated, called behavioural consistency, that 
guarantees that such proofs are tractable. In Lemma 1 and Theorem 3 we a 
derive sufficient condition for this property to hold. The condition formalizes 
a methodological paradigm to ensure behavioural consistency: when defining a 
pre-regular algebra in the implementation step, one should ensure that T in each 
sort has the smallest observable behaviour and the observable behaviour of each 
least upper bound of an approximation chain is the least upper bound of the ob- 
servable behaviours of approximants. Moreover, under that condition, the results 
from Section 3 apply and one only needs to consider finitary observational con- 
texts while proving correctness of implementation. Our general considerations 
are illustrated by few examples in Section 1 and in Appendix. 

Acknowledgements The author is grateful to Andrzej Tarlecki for many fruit- 
ful discussions and valuable comments during this work. 

1 Preliminaries 

Regular algebras Let S, S' be fixed many-sorted algebraic signatures through- 
out this paper. We omit introducing classical notions of standard A-algebra, 




56 



Slawomir Lasota 



homomorphism (the category of those is denoted Alg^), subalgebra, congru- 
ence, quotient (cf. e.g. [5]). By we denote the value of i7-term t in algebra 
A under valuation v. For A being a standard or regular algebra, by |^| we de- 
note the many-sorted carrier set of by |A|s the carrier of sort s; by |^|s, for 
a subset S of sorts of S, the carrier sets of sorts from S. All sets are implicitly 
meant to be many-sorted in the sequel. 

An ordered E -algebra is a standard A-algebra whose carrier set on each sort 
s is partially ordered (let denote below the partial order in |A|s) and has a 
distinguished element _L^ G However, we do not assume operations in an 
ordered algebra to be monotonic. 

The set of regular S -terms T^{X) over X is defined inductively as usual, 
with the only additional case: for any t G T^(X U {z : s})^ and a distinguished 
variable z of the same sort s, there is a gL-term giz.t in T^(X)^. Similarly, the 
inductive definition of the value tA[v] of a term under a valuation u : A — > |A| in 
an ordered algebra A needs one more case. For t G T^(X U {z : s})^, put: 

— for f G to, t(^^j(_L) = tA[vi], where Ui : A U {2 : s} ^ |A| extends v by Vi{z) = 

(-*-)• 

Now, is defined if are defined, for all i G u, <f 

t(^^j(_L), and the least upper bound Uie^ (-*-) odists in |A|^; if so, then 
(-*-)■ ordered A-algebra A is regular if it satisfies the 

following conditions: 

— completeness: for all t G Tj((A) and u : A — > |A|, the value tA[v] is defined, 

— continuity: for all t G Ts{X U {y : s})^,, q G T^{X U {z : s})^ and valu- 
ation v: X ^ |A|, tA[vi] <i tA[vi+Pi, ^ ^A[v'] = Ui> 0 *A[vi], 

where valuation v' : X U {y : s} ^ \A\ extends v by v'{y) = and 

Vi'. XU{y : s} ^ \A\ extends v by Vi{y) = g(^[„](_L), for i > 0. 

Continuity is required only for finitary terms t G Ts{X U {y : s})^, , i.e., those 
not containing symbol /i. A seemingly stronger condition (considered in [4]), 
concerning all t G T^{X U {y : s})^,, is equivalent to the above one - a detailed 
proof can be found in [9]. By completeness, is the least element in |A|s. 

Note that completeness does not imply general w-completeness. Complete- 
ness and continuity as defined above, correspond to w-completeness and oj- 
continuity w.r.t. definable w-chains only. Moreover, operations in a regular alge- 
bra need not even be monotonic. 

By a regular A-homomorphism h : A ^ B we mean any function h such that 
for all terms t G T^{X) and valuations u : A ^ |A|, h{tA[v]) = tB[hov]- Regular 
algebras together with regular homomorphisms form a category, called RAlg^ 
in the sequel. A regular subalgebra of A is any regular algebra B the carrier of 
which is a subset of A and such that for all terms t G T^{X) and valuations 
V : X ^ \B\, tB[v] = iA[v\- It is easy to see that all operations of B are restrictions 
of operations of A to \B\ and moreover _L® = _L^ for each sort s. For A C |A|, 
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by the subalgebra of A generated by Y we mean the least regular subalgebra of 
A whose carrier includes Y . 

A relation ~ C |A| x |A| is a regular congruence iff ~ = C fl for some 
pre- congruence C, where a pre-congruence is any pre-order on |A| satisfying: 

1. for all t G Ts{X U {y : s})g/, q G T^{X U {z : s})^ and v : X ^ |A|, the 

family {iA[«i]}i>o is a chain w.r.t. C with a least upper bound where 

valuation u' : A U {y : s} ^ |A| extends v by v'{y) = and valua- 
tions Vi : X U {y : s} ^ |A| extend v by Vi{z) = for f > 0; ^ 

2 . the equivalence C n is preserved by the operations (i.e., is a standard 
congruence) . 

In particular, instantiating t in 1 with a single variable, we get: for all q G 
T^{X U {z : s})^ and v : X ^ \A\, {y)i[„](-L)}i>o is a chain w.r.t. C with the 
least upper bound {pLZ.q)j^^y Given a regular congruence ~, the quotient regu- 
lar algebra A/~ is defined (for each sort s) by |A/~|^ = |A|^/.^, _L^^~ = 

[a].^ a G a' (where G is a pre-congruence inducing ~) and 

fA/^i\ai]r^,- ■ ■ , [a„].^) = [/A(ai, • • • ,an)]~- For details we refer to [4]. 

Observational equivalence There have been a number of different formalizations 
of the concept of behavioural equivalence of algebras (see [8] for an overview). 
In the following we concentrate on an observational equivalence induced by a 
subset of observable sorts; hence throughout this paper let us fix a subset OBS 
of observable sorts of X. 

In the following, let X denote some OBS-sorted set of variables. By a X- 
context of sort s' on sort s we mean any term 7 G T^(X U {Zs : s})g/, where Zs 
is a special, distinguished variable of sort s such that Zs ^ X. Note that Zs, for 
s OBS, is the only variable of a non-observable sort appearing in a context. 
A special role is played by observable contexts, i.e., contexts of observable sort 
(s' G OBS). For any regular A-algebra A, A-context 7 on sort s, valuation 
V : X ^ |A|oss and value a G |A|s, we will write 7A[v](a) for lA[va\ where Va 
extends v by v{zs) = a. 

For any A, let Aqbs denote its subalgebra generated by (carrier sets of) 
observable sorts; we call Aqbs the observational subalgebra of A. The regular 
congruence on Aqbs is defined as follows: for any a, a' G |Aoss|s, a 

a' if and only if for all valuations v into carriers of observable sorts of Aqbs 
and all observable contexts 7, 'yA[v]{o) = 7^(1,] (a'). The congruence is 

called observational indistinguishability in A; is the greatest congruence 

on Aqbs being identity on observable sorts (cf. [4]). The quotient of Aqbs by 
^OBs represents the observable behaviour of A; is fully abstract in 

the sense that its indistinguishability is identity (in particular it equals its own 
observational subalgebra, i.e., {A/^^^^)obs = Two regular algebras 

are taken as equivalent when their behaviours are isomorphic: 

^ In [4] a stronger requirement was assumed, for all regular terms t G 
U {y : «})„/, similarly as in continuity condition above. In the same vein as 
above, Unitary terms are sufficient here. 
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Definition 1 ([4]). Observational equivalence =obs of regular E-algebras is 
defined by: 

-4 =OBS B iff Aobs/^obs = Bobs/^obs. 

Aqbs will be written shortly or in the sequel. 

All definitions in this subsection are still valid when standard algebras are 
taken into account (cf. [3,2]) - the only modification required is to restrict con- 
texts 7 to only Unitary terms Ts{X) in definition of indistinguishability. 



Behavioural implementation A concept of observational equivalence plays a cru- 
cial role in the process of step-wise refinement. It allows one to consider possibly 
large class of acceptable realizations of a specification, under the only assumption 
that the observable behavior of the implementation conforms to the specifica- 
tion requirements. We recall below a formalization of these ideas by the notion 
of behavioural constructor implementation [12,13] in the framework of standard 
algebras. 

Let us look at an example specification of stacks of integers, as an illustration 
of a behavioural approach to implementation: 

specification STACKS extends INT, BOOL by 
sorts 

stack; 

operations axioms 

empty : stack; empty? {empty) — true, 

push{., J) : int x stack stack; empty? {push{n, s)) — false, 

pop{f) : stack stack; top{push{n, s)) = n, 

top{f) : stack int; pop{push{n, s)) — s. 

empty?{S) : stack bool; 

Consider the following candidate A for implementation of this specification, 
which realizes a stack as an infinite array of integers (modeled here as a function 
from natural numbers to integers) together with a pointer to a current position 
(top of the stack) : 

Attack N X Z^, pushj,(n, {k, /)) {k + 1, Xi. if i = k then n else 

empty j, {0, Xi. 0) , V^P aH^A)) if — 0 then (0, /) else {k—l,f), 

empty? A{{k, /)) := (fc = 0), top^({k, /)) := if fc = 0 then 0 else f{k — 1). 

Obviously, this algebra does not satisfy the axioms of STACKS; in particular, 
the last axiom does not hold. On the other hand, intuitively, this seems to 
be a ’’reasonable” realization of the datatype of stacks. The intuition behind 
this is as follows: although pop{push(n, s)) and s need not be identical, they 
are indistinguishable w.r.t. the observable sorts {bool, int}. This leads to the be- 
havioural semantics of specification, according to which models of a specification 
SP = (E,Ax) are all algebras which behaviourally (observationally) satisfy its 
axioms: 

BehMod(SP) = {A G Alg^ : A \=obs Ax}. 

Relation of the behavioural satisfaction Nobs is defined as usual, with the 
only difference that equality is interpreted in an algebra A as the indistin- 
guishability ^A^^ and variables range over the subalgebra Aqbs- Formally, 
A Nobs A/ ^(^bs N (f. Behavioural semantics is closely related to the 




Behavioural Constructor Implementation for Regular Algebras 



59 



observational equivalence of algebras. When only equational specifications are 
considered, the class of behavioural models coincides with the closure of classical 
models under observational equivalence (see [3,5]). 

The most straightforward formalization of the concept of implementation 
refers to the inclusion of model classes: specification SP' = {S', Ax') implements 
{refines) SP, if each model of SP' is a model of SP: Mod{SP') C Mod{SP) 
(both SP and SP' are over the same signatures here, S' = S). This concept 
has been refined in two ways [12,13]. First, a notion of constructor implemen- 
tation was proposed: SP' implements SP via a constructor n : Alg^, Alg^, 
denoted by SP SP', if n{Mod{SP')) C Mod{SP) (S(-) is direct image of k). 
Intuitively, function n, called constructor, represents a parametrized program, 
realizing one refinement step. Second, a behavioural realization was taken into 
account: we say that SP' implements behaviourally SP via k if 

R{BehMod{SP')) C BehMod{SP). (1) 

Appendix A contains an example of such an implementation step. In general, 
development of a system consists of a sequence of such steps, 

SP^ SPi^ SPn, 

which finishes when SPn is the empty specification (e.g. in the implementation 
of stacks by infinite arrays above, the implementing specification is implicitly 
assumed to be empty). 

2 Regular and Algebraic Sorts 

In many practical situations we need only some sorts of a regular algebra to have 
upper bounds of approximation chains. Assume in the rest of this paper that 
the set of sorts of S is partitioned into two disjoint subsets of regular sorts and 
algebraic sorts. The aim is to simplify the work with regular algebras and not to 
be bothered with considering limit values in algebraic sorts. 

In [9] it was argued that the best way to achieve this is to require carrier 
sets of algebraic sorts to be essentially fit . Formally, we say that the carrier set 
of sort s of a regular A-algebra is essentially fiat if this algebra is isomorphic 
(i.e., related via a bijective regular homomorphism) to a regular algebra A whose 
carrier set of sort s has fiat ordering < with the least element (i.e., a < b 
iff a = or a = b). Evidently, isomorphic regular algebras can have different 
orders. 

In the rest of this paper we implicitly assume that some subset of algebraic 
sorts is distinguished and that all regular algebras considered are essentially flat 
on those sorts. 

3 Finitary Observations 

Roughly, finitary observational contexts (i.e., those not containing symbol fx) are 
powerful enough for indistinguishability in a regular algebra; the only infinitary 
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regular terms really needed are to denote bottoms _L. For fixed OBS, let 
denote the set of all observable contexts 76 T^{XU {zg : s}), such that the only 
possible /x-subterms of 7 are of the form nx.x. In the sequel, by finitary terms 
we also mean those containing ^-subterms of the form nx.x. 

Theorem 1 ([10]). In a regular algebra A, the observational indistinguisha- 
bility coincides with the contextual indistinguishability induced in A by 

contexts from . 

As a corollary, methods of proving behavioural properties of standard algebras 
(like context induction [7] or methods developed in [1,2]) can be reused in the 
framework of regular algebras. 

Let 27(_L) denote signature S enriched by a constant symbol J_s in each sort 
s. For a regular A-algebra A, let |A|x'(x) denote the standard A(_L)-algebra with 
carrier sets and operations as in A and with _Lg interpreted as _L^ in each sort. 

By Theorem 1 we conclude that observational indistinguishability in a regular 
algebra A coincides with the indistinguishability in |A|x(±). But observational 
equivalence of regular algebras is not reducible to observational equivalence of 
standard A(_L)-algebras: it does not hold 

A =oBS B <t7 |A| 2 ;(x) =obs I-B|i:(x) (2) 

(note that on the right-hand side =obs denotes observational equivalence of 
standard A(_L)-algebras). 

Let us find out where the difficulties are. Since is clearly standard 

A'(_L)-congruence, the forgetful functor |-|i;(x) commutes with observational quo- 
tient: 

\Aobs\s{X)/ = \AobS / ^OBs\s{x)- (3) 

The observational (standard, regular) subalgebras are generated by (finitary, reg- 
ular) terms, hence (|A|x(x))Q^g = {\Aobs\s{x)) Moreover (|A|x(x))Q^g 
may be a proper subalgebra of |Aobs|i;(x) in general - this is why we need 
another symbol to stand for the indistinguishability (by means of L'(-L)- 

contexts) in (|A|x'(x))(X 55 - However, by Theorem 1 and agree on 

(l^li;(x))os 5 ) so the implication from left to right holds in (2). On the other 
hand, from |A|x(x) =obs |H|i;(x), i-e. from 

(|-4|i;(x))oss/RiOBS = {\B\s(±))obs/kiObs 

we cannot even conclude (e.g. using (3)) that \A/ ^obs\s(x) — \B/ r^oBs\x;(±)', but 
even if we could, this would not guarantee A/ ^obs = B/ ^oBs in general. Intu- 
itively, finitary contexts are more powerful in regular algebras than in standard 
algebras. 

It is common in practical examples that all observable sorts are intended 
to be essentially flat. Besides practical advantages, essentially flat carriers of 
observable sorts imply that finitary observational contexts (and consequently 
standard correspondences) are sufficient for observational equivalence of regular 
algebras, in contrast to the negative statement ( 2 ) above. 
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Theorem 2 ([10]). For regular algebras A and B with essentially fit carrier 
sets of observable sorts, A =obs B |^|i:(±) =Obs |-B|i:(x)- 

As a conclusion, we obtain an effective complete proof technique for observational 
equivalence of regular algebras: 

Corollary 1. Regular algebras with essentially fit carrier sets of observable 
sorts are observationally equivalent iff they are related by an observational £'(-L)- 
correspondence [14]- 

The proofs omitted here can be found in [10]. 

4 Behavioural Implementation of Regular Algebras 

In [9] it was argued that when implementation of regular algebras is considered, 
it is not always possible to reuse the partial order of a model of the implementing 
specification in a construction of a model of the implemented one. This problem 
especially arises when an algebraic sort is to implement a regular one, what seems 
to be common in practical examples. As an example, consider regular algebras as 
models of the specification of stacks from Section 1 - this opens the possibility to 
define infinite streams, e.g. ytx.push{l,push{0,x)). Let us look at the following 
Pascal-like implementation of stacks by pointers linking dynamically allocated 
memory cells. 



specification MEMORY extends INT, BOOL by- 
sorts 

memory, address', 
operations 

initmem : memory; 
null : address; 

alloc{S) : memory memory x address; 
ai?az/(_, _) : memory x address bool; 

.[^.val : memory x address int; 

_[_].ntct : memory x address address; 

{-[^.val _) : memory x address x int memory; 

(_[_]. ntci _) : memory x address x address memory; 

_[_] ■«— : memory x address x int x address memory; 

copy(_, _) : memory x address x address memory; 

axioms 

a ^ null => avail{initmem , a) — true, 
alloc{m) — {m' , a) ^ a ^ null A 

avail{m, a) — true A avail{m' , a) — false A identical{m,m' , a), 
a ^ null A m' — {m[a].val x) m'[a].val — x A 

avail{m' , a) — avail{m, a) A m' [a].nxt — m[a].nxt A identical{m, m' , a), 
a ^ null A m' — {m[a].nxt a") =» m'[a].nxt — a" A 

avail{m' , a) — avail{m, a) A m' [a].val — m[a].val A identical(m,m' , a), 
m[a] ■«— {x, a') = {{m[a].val x)[a].nxt a'), 
copy{m, a, a') — {{m[a'].val m[a].val)[a'].nxt m[a].nxt), 

( identical{m,m' , a) 4=4* (Va^ € address, a ^ a' -=^ 
avail{m, a') — avail{m' , a') A m[a'].val — m' [a'].val A m[a'].nxt — m' [a'].nxt) ). 

For MEMORY, a set of observable sorts is OBS = {bool, int}; all sorts are intended 
to be essentially flat. We choose a constructor K„Btom taking a regular algebra 
over the signature of MEMORY to an algebra over the signature of STACKS. It is 
defined by: 
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stack := memory x address, 
empty {initmem , null) , 

top{{m, a)) if a — null \/ a — -^address then -Lint else m[a].val, 

pop{{m,a)) if a — null \/ a — l.address then {m,a) else {m, m[a].nxt) , 

push{x, {m, a)) let {m' , a') — alloc{m) in {m'[a'\ {x,a) ,a') . 

It implements in a straightforward manner all finite stacks, but what about 
infinite ones? Are they realizable in (behavioural) models of MEMORY? In this 
particular case a right idea is to exploit cyclic lists; however, a more universal 
method is needed in general. 

For a given model of MEMORY, consider an algebra A yielded by Kmemory- 
Roughly, our idea is to define a semantical counterpart of /i-operator, that is 
for each function / : \A\ stack \A\ stacks a value ^\Xstack{f) in \A\ stack- This is 
enough to define values of all regular terms, since we can take ^\y-stack{f) as the 
value of a ^-term iix.t under a valuation v, for an appropriate function / in- 
duced by t and v. Formally, we can define inductively the value of by: 

:= fiXstacfc(Aa.f^[„^]), where Va extends v by Va(x) = a. In our example 
this could look like 

fixatackif) let {m' , a') — alloc{initmem) , {m, a) — f{{m' , a')) in 

if a ^ a then {copy{m,a,a'),a) else {initmem, A^address) ■ 

This method of defining values of all /r-terms will be called fx-induction in 
the sequel. In general, it is sufficient to define _L in each algebraic sort and 
a fix operator for each regular sort. For regular sorts s, we derive J_s for in- 
stance by J_s = fiXs(idAj (e.g. x^tacfc = {imtmem, Xaddre^^))', for algebraic sorts 
s, one can assume that fixs(/) = /(J-s). Hence /i-induction in an algebra A 
needs a family {_Ls} indexed by algebraic sorts s and a family of functions, 
fixs : ^ |A|s, indexed by regular sorts s. 

According to the terminology used below, A defined in this way is a pre- 
regular algebra, differing from a regular algebra in at least one respect: its carrier 
sets are not ordered and consequently it does not satisfy continuity; in partic- 
ular, values of /r-terms given by /x-induction do not have to be fixed points. In 
what follows, we introduce pre-regular algebras and use them in behavioural 
implementation step of regular algebras. 

4.1 Pre-Regular Algebras 

Let S denote the set of sorts of a fixed signature S. It is reasonable to consider 
an abstract syntax given by the set T^(A) of regular terms up to a-conversion, 
equal to the quotient of T^{X) by all equalities of the form: ptx.t{x) = pty.t{y), 
for all terms t and variables x, y. The mapping X i— > T^(A) can be extended to 
an endofunctor in Set^ , similarly to an endofunctor X i—t Ts{X); moreover, 
in a similar way, can be extended to a monad, i.e., equipped with unit and 
multiplication. By ^-induction we define in fact an algebra of this monad - T^- 
algebras are called pre-regular algebras in the sequel. By the very definition, a 
pre-regular algebra has enough structure to assign values to all regular terms, in 
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a canonical way. Morphisms of T^-algebras are precisely those functions which 
preserve values of all regular terms, similarly as regular homomorphisms: /i is a 
morphism from Ato B iS /i(tA[j;]) = tB[hov]j for &ny regular term t and valuation 
u in A (this category is denoted Pre-RAlg ^ in the sequel). 

Each regular algebra is (via the evident forgetful functor) a pre-regular al- 
gebra; in fact, category RAlg^ is equivalent to a full subcategory of pre-regular 
algebras. Moreover, the forgetful functor has a left adjoint: 

Proposition 1. RAlg^ is a restive subcategory of Pre-RAlg 

Proof. Observe that the notion of pre-congruence from Section 1 is meaningful 
in a pre-regular algebra. By the quotient of a pre-regular algebra A by a pre- 
congruence C, denoted by A/C, we mean the quotient by a congruence C n C~^ 
induced by C; A/C is a regular algebra, i.e., can be appropriately equipped with 
a partial order, similarly as in Section 1 . 

Exploiting these facts, the left adjoint to the forgetful functor is given by 
the quotient of a pre-regular algebra A by the smallest pre-congruence in 
A, A 1 -^- A/^a- This mapping is functorial. To see this, notice that every mor- 
phism f : A ^ B of pre-regular algebras together with a pre-congruence C on 
B induces a pre-congruence: {(a, o') : /(o) C /(o')} on A. 

Since is the smallest pre-congruence, 
there exists a unique morphism A/^^ ^ 

B/^g making the square on the right 
commute (horizontal maps are quotient 
projections). Moreover, by the very def- 
inition, this induced morphism is a reg- 
ular homomorphism. 

When B is regular, induces identity congruence; thus, by instantiat- 
ing the diagram above we immediately get a 1-1 correspondence between horn- 
sets Hompre-RAig^ (A, B) and PlompAigj. {A/ ^A, B). Hence the quotient functor 
_/=^_ is the left adjoint to the embedding of RAlg^ into Pre-RAlg^] the projec- 
tions 7T form a unit. □ 

Notions of subalgebra, quotient, etc. can be straightforwardly extended to 
pre-regular algebras. The relation Nobs of behavioural satisfaction can be lifted 
to pre-regular algebras in a natural way. By A Nqbs for pre-regular A, we 
mean that A/ .^obs N <j), where denotes the indistinguishability induced by 

the set of all observable contexts (including /r-terms) in the pre-regular subalge- 
bra Aqbs of a generated by OBS. {Aqbs contains precisely those elements that 
are a value of some regular term with only observable variables.) Note that it is 
indispensable to take all contexts into account, since values of /i-terms in a pre- 
regular algebra can be defined arbitrarily and we can not use continuity, as in the 
case of regular algebras in Theorem 1, to restrict the set of relevant contexts. 
Moreover, considering all regular contexts guarantees that is a congru- 

ence on Aqbs (in fact, the greatest congruence which is identity on OBS). In 
the following section we overload symbol =obs to denote also the equivalence of 
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pre-regular algebras factorized by indistinguishabilities similarly as stated 

for regular algebras in Definition 1. 

5 Constructor Implementation Step 

By now, we found pre-regular algebras useful in the behavioural implementa- 
tion of regular algebras. Motivated by examples and by Proposition 1, we pro- 
pose an implementation methodology for regular algebras, as a slight adaptation 
of the behavioural constructor implementation of standard algebras presented 
in Section 1. By the abuse of notation, given a specification SP over E, by 
BehMod{SP) we mean the class of all regular Z'-algebras which satisfy be- 
haviourally SP and whose algebraic sorts are essentially flat. 

Let SP,SP' be two specifications over E and E' , respectively. Let OBS de- 
note the subset of observable sorts in SP. In order to express the way how SP' 
implements (refines) SP, we define a constructor k : RAlg^, Pre-RAlg for 
instance by /r-induction. This mapping induces a function k' : RAlg^, RAlg^ : 
A 1 -^- K(^)/=^K(yi)- But for some technical reason, which becomes apparent in (8) 
below, instead of =^k(A) we prefer to quotient k{A) by the smallest pre-congruence 
on the observable subobject, that is on the subobject k{A) of k{A) generated 
by the observable sorts^: 



K (A) K,{A)Qgg/ 4K{A)^gg- 

Then, we say that SP' implements behaviourally SP via k if 

K'{BehMod{SP')) C BehMod(SP). (4) 



5.1 Behavioural Consistency 

Similarly as in the case of standard algebras, for the correctness of the construc- 
tor implementation step one needs to show (4). When SP = {E, Ax) is a basic 
specification given by a set of axioms, (4) can be proved for instance by showing 
that k'{A) satisfies behaviourally axioms of SP, for any behavioural model A 
of SP' . However, this is difficult in practice, since the congruence in the con- 
struction of k' (H) is not given explicitly - the task would be simpler if we could 
consider k{A) instead of k'{A). This would be the case when n{A) and k!{A) 
satisfy behaviourally the same formulas: 

{(j) : k{A) \=obs </'} = {<(': \=obs 4>}- (5) 

We say that constructor n is behaviourally consistent if (5) holds for all A in 
BehMod(SP'). A sufficient condition for (5) is: 

k{A) =obs for each A G BehMod(SP'), (6) 

^ ^K(A)pgg needs not coincide with ^k(A) restricted to K.{A)Qgg - the latter is coarser 
in general. 
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where =obs denotes the equivalence of pre-regular algebras factorized by the 
indistinguishabilities The rest of this section is devoted mainly to formu- 

lating of a condition sufficient for (6). 

In the sequel let B := K{A)Q^g denote the observable subalgebra of the pre- 
regular algebra yielded by k, for an arbitrary fixed A G BehMod(SP'). Since 
k{A) =obs B, (6) is equivalent to 

B=obsB/4b- (7) 

Hence, for behavioural consistency (in fact for (7)) it is sufficient to know that 
=^B induces an observational congruence on B: 

4b^ 4b~^ Q ^B^^ ■ ( 8 ) 

(8) states that the congruence induced by =^b is identity on observable sorts; in 
other words, imposing continuity on B does not lead to identification of observ- 
able elements. From the practical perspective this is a natural condition, since 
it conforms neatly to the situation when observable sorts are to support some 
standard datatypes, which rest unaffected during a refinement step. 

For (8) to hold, should be necessarily a total congruence (i.e., B = 

Bobs)- Fortunately, it is so since B is generated by OBS (recall definition of k' 
in the beginning of this section) . 

Evidently, is equal to <b^^ n where the observational pre- 
order <B^^ is defined analogously to for 6,6' G |H|s, 6 <b^^ 6' if and 

only if for all valuations v : X ^ \B\obs and all regular observable contexts 7, 
lB[v]{b) < lB[v]{b')', < stands here for the flat order in all observable sorts. ^ 
Having this, we conclude that for (8) it is sufficient to have b C <OBS^ Now, 
recalling that =^b is the smallest pre-congruence on H, we deduce: 

Lemma 1. A constructor k is behaviourally consistent whenever is a pre- 

congruence on K{A)Qgg, for each A G BehMod(SP'). 

From now on we develop a sufficient condition for this to hold. Since B is gen- 
erated by OBS , we can suitably represent each non-observable value by a term 
with only observable variables. This implies that operations in B are monotonic 
w.r.t. hence i® preserved by operations. We need to check the other 

condition from the definition of pre-congruence (cf. Section 1). For any recur- 
sor q G \T^{X U {z : s})|g and valuation v : X ^ \B\, let bi := g^j^j(T), for 
t = 0, 1, . . ., 6 := (yiz.q) then we should show that 

for each t G \Ts{X U {y : s})|g, and u : X ^ \B\, is a chain 

w.r.t. with a l.u.b. tB[u'] {ui, i & OJ, and u' extend u by Ui{y) = bi 

and u'{y) = 6). 

As B is generated by OBS, we may replace each occurrence of a non-observable 
variable in t (besides y) by a term with only observable variables; hence the 

® Surprisingly, at this point we could use any partial order instead of <. 
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mapping a preserves This allows us to replace condition 

above with a simpler one: 

{bi}ieui is a chain w.r.t. with a least upper bound b. 

Moreover, the mapping a qB[v[z^a]] preserves by the same argument 

as above, hence for the last formula it suffices that the following two conditions 
hold: 



B ^OBS u 
s 0 , 


for all b' G S s. 


(9) 


b = \_\b. 


w.r.t. <2^^. 

rsj Jd 


( 10 ) 



i^UJ 



The observable behaviour of an element of B consists of the infinite tuple of val- 
ues yielded by all observable contexts (with all valuations into observable sorts) 
applied to it. As is the point-wise pre-order, (9) and (10) say that a bot- 

tom T has the smallest observable behaviour and that the observable behaviour 
of b is the least upper bound of behaviours of bi. This allows us to formulate a 
methodological paradigm: 

A constructor is guaranteed to be behaviourally consistent whenever T 
in each sort has the smallest observable behaviour and the observable be- 
haviour of each ( candidate for) least upper bound of an approximation 
chain is the least upper bound of the observable behaviours of approxi- 
mants. 

Expanding definition of and recalling that < was chosen to be flat, the 

paradigm can be formalized as follows: 

Theorem 3. A constructor k is behaviourally consistent if for each behavioural 
model A of SP' it holds: for all contexts 7 G T^{X U {zs : s})^ of an observable 
sort o and valuations w into observable carriers of B := K{A)Qgg, 

- 7sM (-*-«) To ^ V6 G Bg. jB[w]{b) = 7b[u;](Ts), 

~ for any q G T^{X U {z : s})^, v : X ^ \B\, let bi := g^j^j(T), z G w and 
b := (^z.g)gj„]; then 

Vz G ajf'yB['w]{bi) yf To 7 b[u>](^) ~ 7 b[u>](^z))j 

(Vz G uj.'yBiw]{bi) = To) ^ lB[w]{b) = To- 

For instance, k„e«ory from the beginning of previous section is behaviourally con- 
sistent. 



5.2 Finitary Contexts 

Theorem 3 concerns all regular observable contexts 7 . From practical perspec- 
tive, especially when considering proof methods for behavioural properties, it 
would be useful to be able to restrict to only finitary contexts. Assume for a 
while that we replaced ^b^^ in Lemma 1 with pre-order induced by only con- 
texts from (similarly as in Theorem 1 in Section 3). If we prove now 
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that this pre-order is a pre-congruence, then the induced congruence, say 
necessarily coincides with This follows from the fact that ~ is obviously 

coarser than but on the other hand it is necessarily identity 

on OBS. Since is the greatest congruence being identity on OBS, we 

get ~ (this idea of identifying a sufficient subset of ’’crucial” contexts 

comes e.g. from [1]). From this we conclude that Lemma 1 would still hold and 
behavioural consistency would follow. 

Unfortunately, our further considerations (culminating in Theorem 3) are no 
longer valid when only contexts from are taken into account. Infinitary 

regular terms are indispensable when valuation maps a variable to value in B 
not representable by a finitary term with observable variables. Consequently, we 
can only restrict the proof obligation stated in Theorem 3 to those contexts 7 
that contain no occurrence of the context variable inside a ^-term. 

Surprisingly, finitary contexts are sufficient for proving correctness of imple- 
mentation when we already know that n is behaviourally consistent. Namely, by 
(5), every proof in k{A) involving observational contexts can be carried over to 
k'{A), where finitary contexts suffice by Theorem 1. 



6 Final Remarks 

The main result of this paper is an adaptation of the behavioural constructor 
implementation methodology to the framework of regular algebras. A proof obli- 
gation was given that guarantees (together with results on finitary character of 
observational indistinguishability) that the proof of correctness of an implemen- 
tation step is feasible. 

The subject needs still more studies, especially the issue of proving correct- 
ness of implementation. In particular, we did not tackle the task of proving 
that carriers of algebraic sorts are essentially flat in the implementation step. 
Moreover, an interesting topic for further research is to investigate relationship 
between regular algebras and coalgebraic specifications [ 11 ] and to try to ap- 
ply proof methods used there. It could be probably of some relevance here that 
the initial regular A-algebra can be seen as a suitable sub-coalgebra of the final 
I7(T)-coalgebra, hence it admits the coinduction principle. 
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A An Example of Behavioural Constructor 
Implementation 

As an example, consider a specification of queues and its behavioural implemen- 
tation by pairs of stacks. 



specification QUEUES extends INT, BOOL by 
sorts 

queue; 

operations 

empty ^queue : queue; 
empty ^queue?{S) : queue bool; 
put{.., _) : queue x int queue; 
get{^ : queue int; 
rest(_) : queue queue; 
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axioms 

empty .queue? {empty ^queue) — true 
empty. queue?{put{q, e)) — false 

empty. queue? {q) => get{put{q, e)) — e A rest{put{q, e)) — q 

-> empty .queue? {q) => get{put{q, e)) — get{q) A rest{put{q, e)) — put {rest (q), e) 



A constructor behavioural implementation of QUEUES by STACKS may be given by 
the following definitions (some ad hoc, but hopefully self-explanatory notation is 
used here to define a function that maps S'z(/(STACKS)-algebras to S'z(/(QUEUES)- 
algebras): 



queue stack x stack 
empty. queue {empty, empty) 

empty .queue? {{s-]_, S2)) empty? {s\) A empty?{s2) 
put{{si, S2) , e) := {push{e, si), S2) 
get{{si,S2)) •■ = 

if empty?{s2) then let s'2 reverse{{si , S2)) in top{s2) 
else top{s2) 
rest{{si, S2)) : — 

if empty?{s2) then let •— T'everse{{si , S2)) in {empty , pop {s 2)) 
else {si,pop{s2)) 

reverse{{empty, s)) =s 

reverse{{push{n, si), S2)) = reverse{{si, push{n, S2))) 



This is a correct implementation only when behavioural satisfaction is assumed, 
w.r.t. observable sorts {int^bool}. 

If we intend specifications STACKS and QUEUES to describe regular algebras, 
we ought to extend the implementation step by a definition of f\Xqueue- An infi- 
nite queue behaves like an infinite stack, with get{-) and rest(-) operations corre- 
sponding to pop{-) and top{.), respectively. Moreover, putting new elements into 
an infinite queue has no effect. Hence we may essentially re-use the fix operator 
of stacks: 



fix,ueue(/) := { empty, fiXutacki >^s.reverse( /{{empty, s)) ) ) }. 

In particular, we derive ±guene = {empty, ± stack) ■ 

Some larger examples of specification and implementation in the setting of 
regular algebras can be found in [9] . 
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Abstract. The paper presents an extension of the proof editor Alfa with 
natural- language input and output. The basis of the new functionality is 
an automatic translation to syntactic structures that are closer to nat- 
ural language than the type-theoretical syntax of Alfa. These syntactic 
structures are mapped into texts in languages such as English, French, 
and Swedish. In this way, every theory, definition, proposition, and proof 
in Alfa can be translated into a text in any of these languages. The trans- 
lation is defined for incomplete proof objects as well, so that a text with 
“holes” (i.e. metavariables) in it can be viewed simultaneously with a 
formal proof constructed. The mappings into natural language also work 
in the parsing direction, so that input can be given to the proof editor 
in a natural language. 

The natural-language interface is implemented using the Grammatical 
Framework GF, so that it is possible to change and extend the interface 
without recompiling the proof editor. Such extensions can be made on 
two dimensions: by adding new target languages, and by adding theory- 
specihc grammatical annotations to make texts more idiomatic. 



1 Introduction 

Computer algebra systems, such as Mathematica [21] and Maple [14], are widely 
used by mathematicians and students who do not know the internals of these 
systems. Proof editors, such as Coq [1], LEGO [2], Isabelle [4], and ALF [15], are 
less widely used, and require more specialized knowledge than computer algebras. 
One important reason is, of course, that the structures involved in manipulating 
algebraic expressions are simpler and better understood than the structures of 
proofs, and typically much smaller. This difference is inescapable, and it may well 
be that formal proofs will never be as widely interesting as formal algebra. At 
the same time, there is one important factor of user-friendliness that can be im- 
proved: the language used for communication with the system. While computer 
algebras are reasonably conversant in the “ordinary language” of mathematics, 
that is, expressions that occur in ordinary mathematical texts, proof editors only 
read and write artificial languages that are designed by logicians and computer 
scientists but not used in mathematical texts. 

* The authors are grateful to anonymous referees for many suggestions and corrections. 
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Making proof editors conversant in the language of ordinary proofs is clearly 
a more difficult task than building support for algebraic expressions. There are 
two main reasons for this: first, ordinary algebraic symbolism is quite formal 
already, and reflects the underlying mathematical structures more closely than 
proof texts in books reflect the structure of proofs. Second, the realm of proofs 
is much wider than algebraic expressions, which is already shown by the fact 
that proofs can contain arbitrary algebraic expressions as parts and that they 
also contain many other things. 

We are far from a situation in which it is possible to take an arbitrary math- 
ematical text (even a self-contained one) and feed it into a proof editor so that 
the machine can check whether the proof is correct, or even return a list of open 
problems if the proof contains leaps too long for the machine to follow. What 
is within reach, however, is a restricted language at the same time intelligible 
to non-specialist users, formally defined, and implemented on a computer. With 
such a language, it is not guaranteed that the machine understands all input 
that the user finds meaningful, but the machine will always be able to produce 
output meaningful for the user. 

The idea of a natural-language-like formal language of proofs was presented 
by de Bruijn under the title of Mathematical Vernacular [12]. Implementations 
of such languages have been made in connection with at least Coq [11], Mizar [3], 
and Isabelle [4] . Among these implementations, it is Coq that comes closest to the 
idea of having a language of proofs, in the same sense as type theory: a language 
in which proofs can be written, so that parts of the proof text correspond to 
parts of the formal proof. The other languages reflect the proof process rather 
than the proof object: they explain what commands the user has given to the 
machine, or what steps the machine has made automatically, when constructing 
the proof. While sometimes possibly more useful and informative than a text 
reflecting the proof object (because it communicates the heuristics of finding 
the proof), a description of the proof process is more system-dependent and less 
similar to ordinary proof texts than a description of the proof object. 

Like the “text extraction” functionality of Coq [11], the present work aims 
to build a language of proofs whose structures are similar to the structures of 
proof objects. The scope of the present work is wider in certain respects: 

— We do not only consider proofs but propositions and definitions as well. 

— Our language can be used not only for output but for input as welb. 

— Our language can be extended by the user in the same way as proof editors 
are extended by user-defined theories. 

At the same time, the present work is more modest in one respect: 

~ We do not study automatic optimizations of the text. 

The user of our interface always gets a proof text that directly reflects the 
formal proof, and thus has to do some extra work on the proof (and possibly 

^ An extension of the Coq interface [10], however, has a reversible translation of proofs 
to texts. 
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on language extensions) to make the proof texts short. The Coq interface, in 
contrast, automatically performs certain abbreviating optimizations on the proof 
[9] . However, the optimization feature is orthogonal to the novel features of our 
system, and one may well consider combining the two into something yet more 
powerful. 

The focus of this paper is on the architecture and functionalities of a natu- 
ral language interface to a proof editor. Little will be said about the linguistic 
questions of mathematical texts; some of the linguistic background work can be 
found in [17,18]. 

2 Proof Editors, Type Theory and Functional 
Programming 

Alfa [13] is a graphical, syntax-directed editor for the proof system Agda. Agda 
[7] is an implementation of structured type theory (STT) [8], which is based on 
Martin-Lof’s type theory [16]. The system is implemented completely in Haskell, 
using the graphical user interface toolkit Fudgets [6]. 

Like its predecessors in the ALF family of proof editors [15], Alfa allows the 
user to, interactively and incrementally, define theories (axioms and inference 
rules), formulate theorems and construct proofs of the theorems. All steps in 
the proof construction are immediately checked by the system and no erroneous 
proofs can be constructed. 

Alternatively, since Martin-Lof’s type theory is a typed lambda calculus, one 
can view Alfa as a syntax-directed editor for a small purely functional program- 
ming language with a powerful type system. 

Figure 1 gives an idea of what the system looks like. 

In virtue of being based on Martin-L6f type theory, STT can draw on the 
Curry-Howard isomorphism and serve as a unified language for propositions and 
proofs, specifications and programs. This allows Alfa to be used many ways: 

— As a tool for pure logic. Alfa has in fact been used in undergraduate courses, 
allowing the students to practice doing natural deduction style proofs in 
propositional logic and predicate logic. As shown in Figure 2, Alfa has a 
mode of editing where terms are displayed as natural deduction style proof 
trees. 

— As a tool for functional programming with dependent types. The language 
STT is closely related^ to the language Cayenne [5] , a full-fledged functional 
programming language with dependent types. 

— As a tool for programming logic. The power of the language makes it possible 
to express both speciflcations and programs and to construct the proofs that 
the programs meet their speciflcations. 

^ The differences are to some extent due to the fact that Cayenne was designed to be 
used with an ordinary text editor and a batch compiler, whereas STT is designed 
for use in interactive proof editors. 
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rj. olxJ 

let ir 

• [c] case 

• [o] open 

• [ND] ND Style Proof 

• [Z] Zero 

• [S] Succ ? 

• [n] n e Nat 

• [b] be Nat 

• [a] a e Nat 

• M + € (a, 6 € Nat) Nat 

• [Na] Nat € Set 



\?6 € Nat 



Fig. 1. A window dump of Alfa. 

The user has defined the natural numbers and is working on the definition of addition. 
Question marks are metavariables, also called place holders, and allows the user to 
make a definition by starting from a skeleton and gradually refine it into a complete 
definition in a top down fashion. When a metavariable is selected, its type is displayed 
at the bottom of the window, and the menu indicates which ones of the identifiers in 
scope may be used to construct an expression of the required type. 





Fig. 2. A natural deduction proof in progress in Alfa. 
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3 The Grammatical Framework 

GF (Grammatical Framework) [20] is a formalism for defining grammars. A 
grammar consists of an abstract syntax and a concrete syntax. The abstract 
syntax is a version of Martin-Lof’s type theory, consisting of type and function 
definitions. The concrete syntax is a mapping of the abstract syntax, conceived 
as a free algebra, into linguistic objects. The mapping of a functional term (= 
abstract syntax tree) is called its linearization, since it is the flattening of a tree 
structure into a linear string. To give an example, the following piece of abstract 
syntax defines the category CN of common nouns, and two functions for forming 
common nouns: 

cat CN 

fun Int : CN 

fun List : CN -> CN 

To map this abstract syntax into English, we first define the class of linguistic 
objects corresponding to CN: 

param Num = sg I pi 
lincat CN = {s : Num => Str} 

The first judgement introduces the parameter of number, with the two values 
the singular and the plural. The second judgement states that common nouns 
are records consisting of one held, whose type is a table of number-string pairs. 
The linearization rule for Int is an example of such a record^: 

lin Int = {s = tbl {{sg} => "integer" ; {pi} => "integers"}} 

In practice, it is useful to employ the GF facility of defining morphological op- 
erations, such as the inflection of regular common nouns: 

oper regCN : Num => Str = 

\str -> tbl {{sg} => str ; {pi} => str + "s"} 

We use this operator in an equivalent linearization rule for Int, as well as in the 
rule for List: 

lin Int = {s = regCN "integer"} 

lin List A = {s = tbl {n => regCN "list" ! n ++ "of" ++ A.sipl}} 

The common noun argument of a list expression is expressed by selecting (by 
the table selection operator ! ) the plural form of the s-fleld of the linearization 
of the argument. For instance, the functional term 

® GF uses the double arrow => for tables, or “finite functions”, which are repre- 
sentable as lists of argument-value pairs. The table type is distinguished from the 
ordinary function type for metatheoretical reasons, such as the derivability of a pars- 
ing algorithm. A parallel distinction is made on the level of objects of these types: 
ordinary functions have the A-abstract form \x . whereas tables have the form 
tbl { ...}. 
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List (List Int) 
is linearized into the record 
{s = tbl { 

{sg} => ["list of lists of natural numbers"] ; 

{pi} => ["lists of lists of natural numbers"]}} 

showing the singular and the plural forms of the complex common noun. 

The concrete-syntax part of a grammar can be varied: for instance, the judge- 
ments 

param Num = sg I pi 
param Gen = masc I fern 
oper regCN : Num => Str = 

\str -> tbl {{sg} => str ; {pi} => str + "s"} 
oper de : Str = 

pre {"de" ; "d>"/strs {"a" ; "e" ; "i" ; "o" ; "u" ; "y"}} 
lincat CN = {s : Num => Str ; g : Gen} 
lin Int = {s = regCN "entier" ; g = masc} 
lin List A = 

{s = tbl {n => regCN "liste" ! n ++ de ++ A.s ! pi ; g = fern}} 

define a French variant of the grammar above. Notice that, unlike English, the 
French rules also define a gender for common nouns, as a supplementary field of 
the record.^ 

The class of grammars definable in GF includes all context-free grammars 
but also more®. Thus GF is applicable to a wide range of formal and natural lan- 
guages. The implementation of GF includes a generic algorithm of linearization, 
but also of parsing, that is, translating from strings back to functional terms®. 

4 GF-Alfa: an Interface to Alfa 

The GF interface to Alfa consists of two kinds of GF grammars: 

— Core grammars, defining the translations of framework-level expressions. 

^ Also notice the elision of the preposition “de” in front of a vowel. An ordinary 
linguistic processing system might treat elision by a separate morphological analyser, 
but the user of a proof editor may appreciate the possibility of specifying everything 
in one and the same source file. 

® The most important departure from context-free grammars is the possibility to 
permute, reduplicate, and suppress arguments of syntactic constructions. Rules using 
parameters, although conceptually non-context-free, can be interpreted as sets of 
context-free rules. 

® The parsing algorithm is context-free parsing with some postprocessing. Suppressed 
arguments give rise to metavariables, which, in general, can only be restored inter- 
actively. 
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— Syntactic annotations, defining translations of user-defined concepts. 

The only grammar that is hard-coded in the Alfa system is the abstract syntax 
common to all core grammars. It is the grammar with which the normal syntax 
of Alfa communicates: the natural-language interface does not directly generate 
English or French, but expressions in this abstract syntax. The concrete syntax 
parts of core grammars are read from GF source when Alfa is started. Users of 
Alfa may thus modify them and add their own grammars for new languages^. 

The syntactic categories of the interface are, essentially, those of the syntax 
of type theory used in the implementation of Alfa. The most important ones are 
expressions, constants (=user-defined expressions), and definitions: 



cat Exp ; Cons ; Def 

The category Exp covers a variety of natural-language categories: common nouns, 
sentences, proper names, and proof texts. Rather than splitting up Exp into all 
these categories, we introduce a set of corresponding parameters, and state that 
a given expression can be linearized into all of these forms: 

param ExpForm = cn Num I sent I pn I text ; Num = sg I pi 
lincat Exp = {s : ExpForm => Str} 

For instance, the expression emptySet, which “intrinsically” is a proper name, 
has all of these forms, of which the pn form is the shortest: 



lin emptySet = 
(cn {sg}) => 
(cn {pi}) => 
{sent} => 
{pn} => 

{text} => 



{s = tbl { 

["element of the empty set"] ; 
["elements of the empty set"] 
["the empty set is inhabited"] 
["the empty set"] ; 

["we use the empty set"]}} 



This rule can be obtained as the result of a systematic transformation: 



oper mkPN : 
(cn {sg}) 
(cn {pi}) 
{sent} 

{pn} 

{text} 

lin emptySet 



Str -> {s : ExpForm => Str} = \str -> {s = tbl { 
=> ["element of"] ++ str ; 

=> ["elements of"] ++ str ; 

=> str ++ ["is inhabited"] ; 

=> str ; 

=> ["we use"] ++ str}} 

= mkPN ["the empty set"] 



Such transformations can be defined for each parameter value taken as the “in- 
trinsic” one for a constant. The user of GF-Alfa can, to a large extent, rely 
on these operations and need not write explicit tables and records. However, a 
custom-made annotation may give more idiomatic language: 

^ This is relatively easy: using the English core grammar as a model, the Swedish one 
was constructed in less than a day. It required ca. 400 lines of GF code, of which a 
considerable part is not used in the core grammar itself, but consists of macros that 
make it easier for Alfa users to write syntactic annotations. 
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lin emptySet = {s = tbl { 

(cn {sg}) => ["impossible element"] ; 

(cn {pi}) => ["impossible elements"] ; 

{sent} => ["we have a contradiction"] ; 

{pn} => ["the empty set"] ; 

{text} => ["we use the empty set"]}} 

The abstract syntax of the core grammars is extended every time the user 
defines a new concept in Alfa. The extension is by a function whose value type 
is Cons. For instance, the Alfa judgement 

List (A:: Set) :: Set = ... 

is interpreted as a GF abstract syntax rule 

fun List : Exp -> Cons 

GF-Alfa automatically generates a default annotation, 

lin List A = mkPN ("List" ++ A.s ! pn) 

which the user may then edit to something more idiomatic for each target lan- 
guage: for instance, 

lin List A = 

mkCN (tbl {n => regCN "list" ! n ++ "of" ++ A.s ! (cn pi)}) 

The reading given to proofs is not different from other type-theoretical ob- 
jects. For instance, the conjunction introduction rule, which in Alfa reads 

Conjl (A: :Set) (B: :Set) (a: :A) (b: :B) :: Conj A B = ... 

can be given the GF annotation 

lin Conjl A B a b = mkText ( 

a.s ! text ++ ++ b.s ! text ++ ++ 

"Altogether" ++ A.s ! sent ++ "and" ++ B.s ! sent) 

The rest of natural deduction rules can be treated in a similar way, using e.g. the 
textual forms used in [11]. It is, of course, also possible to define ad hoc inference 
rules and give them idiomatic linearization rules. 

On the top level, an Alfa theory is a sequence of definitions. Even theorems 
with their proofs are definitions of constants, which linguistically correspond 
to names of theorems. The linearization of a definition depends on whether the 
constant defined is intrinsically a proper name, common noun, etc. This intrinsic 
feature is by default proper name, but can be changed in a syntactic annotation. 
In the following section, examples are given of definitions of common nouns 
(“natural number”) and proper names (“the sum of a and 6”). Section 8 shows 
a definition of a constant conceived as the name of a theorem. 
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5 Natural Language Output 

The primary and most basic function of GF in Alfa is to generate natural lan- 
guage text from code. Any definition or expression visible in the editor window 
can be selected and converted into one of the supported languages by using a 
menu command. 

As an example, the default linearization of the (completed) definitions shown 
in Figure 1 would be as follows: 

Definition. Nat is defined as follows; 

- the constructor Zero . 

- the constructor Succ applied to n where n is an element 
of Nat 

Definition. Let a and b be elements of Nat. + applied to a 
and b is an element of Nat, depending on a as follows: 

- for the constructor Zero , choose b . 

- for the constructor Succ applied to n , choose the 
constructor Succ applied to + applied to n and b 

By adding the following grammatical annotations, 

Nat = mkRegCN ["natural number"] 

Zero = mkPN "zero" 

Succ n = mkPN (["the successor of"] ++ n.s ! pn) 

(+) a b = mkPN (["the sum of"] ++ a.sipn ++ "and" ++ b.sipn) 

and similar grammatical annotations for Swedish and French, we obtain the 
following versions of the above definitions: 

Definition. A natural number is defined by the following constructors: 

- zero 

- the successor of n where n is a natural number. 

Definition. Let a and h be natural numbers. Then the sum of a and 6 is a natural number, 
defined depending on a as follows: 

- for zero, choose h 

- for the successor of n, choose the successor of the sum of n and h. 

Definition. Les entiers naturels sont definis par les constructeurs suivants : 

- zero 

- le successeur de n ou n est un entier naturel. 

Definition. Soient a et h des entiers naturels. Alors la somme de a et de 6 est un entier 
naturel, qu’on definit dependant de a de la maniere suivante : 

- pour zero, choisissons h 

- pour le successeur de n, choisissons le successeur de la somme de n et de b. 

Definition. Ett naturligt tal definieras av foljande konstruerare: 

- noli 

- efterfoljaren till n dar n ar ett naturligt tal. 

Definition. Lat a och b vara naturliga tal. Summan av a och b ar ett naturligt tal, som 
definieras beroende pa a enligt foljande: 

- for noil, valj b 

- for efterfoljaren till n, valj efterfoljaren till summan av n och b. 

It is possible to switch between the usual syntax, different language views and 
multilingual views by simple menu commands. 



6 Symbolic parts of natural-language expressions 

Using natural language in every detail is not always desirable. A more suitable 
expression for addition, for instance, would often be 
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(+’) a b = mkPN (a.s ! pn ++ "+" ++ b.s ! pn) 

A problem with +' is, however, that it generates bad style if one or both of its 
arguments are expressed in natural language: 

the successor of zero + 2. 

The proper rule is that all parts of a symbolic expression must themselves be 
symbolic. This can be controlled in GF by introducing a parameter of formality 
and making pn dependent on it: 

param Formality = symbolic I verbal 
par am ExpForm = . . . I pn Formality I ... 

The definition of mkPN must be changed so that it takes two strings as arguments, 
one symbolic and one verbal. We can then rephrase the annotations: 

Zero = mkPN "zero" "0" 

(+) a b = mkPN 

(["the sum of"] ++ a.s! (pn verbal) ++ "and" ++ b.s! (pn verbal)) 
(a.s!(pn symbolic) ++ "+" ++ b.s!(pn symbolic)) 

A separate symbolic version of + now becomes unnecessary. In a text, those 
parts that are to be expressed symbolically, are enclosed as arguments of an 
operator 

MkSymbolic A a = mkPN (a.s!(pn symbolic)) (a.s!(pn symbolic)) 
Semantically, this operation is identity: its definition in Alfa is 
MkSymbolic (A: :Type) (a: : A) = a 

This is a typical example of an identity mapping that can be used for controlling 
the style of the output text. 



7 Natural Language Input 

In addition to obtaining natural language output, you can also use the parsers 
automatically generated by GF to enter expressions in natural language. This 
way, you can make definitions without seeing any programming language syntax 
at all. As a simple example, suppose you want to add a definition of one as the 
successor of zero. By using the command to add a new definition, you get a 
skeleton: 

[ Definition, one is an element of ?D , defined as ?l 

The first hole to fill in is the type of one. You can use the commands “Give in 
English”, “Give in French”, “Give in Swedish”: 
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- tor zero, choose 6 . 

- for the successor of n , choose the s 

” ^ GF: Give in Engiish 

Definition, one is an element of 0 , def 



□]j<J 



natural numbers] 



The last step is to enter the body of the definition, 




The parser understands only the fragment of natural languages we have defined, 
but can actually correct minor grammatical errors in the input. A completion 
mechanism helps in finding accepted words. The smiley in the input window 
gives feedback from the parser. 

Since GF covers arbitrary context-free grammars (and more), it is possible 
for the concrete syntax to be ambiguous. When an ambiguous string is entered, 
Alfa asks the user to choose between the resulting alternative terms. 

Ambiguous structures belong intimately to natural language, including the 
informal language of mathematics. Banning them from the proof editor interface 
would thus be a drastic limitation. Syntactic ambiguity is not so disastrous as 
one might think: careful writers use potentially ambiguous expressions only in 
contexts in which they can be disambiguated. The disambiguating factor is often 
type checking. For instance, the English sentence 

for all numbers a;, a; is even or x is odd 
has two possible syntactic analyses, corresponding to the formulas 

(Va; e A^)(Ev(a;) V Od(a;)), 

(Va; G A^)Ev(a;) V Od(a:). 

Only the first reading is actually relevant, because the second reading has an un- 
bound variable x. In this case, the GF-Alfa interface, which filters parses through 
type checker, would thus not even prompt the user to choose an alternative. 

Since the annotation language of GF permits the user to introduce ambiguous 
structures, the parsing facility plays an important role even in natural language 
output: the question whether a text generated from a proof is ambiguous can 
be answered by parsing the text. Even a user who does not care about the 
natural language input facility of GF-Alfa may want to use the GF parser to 
find ambiguities in natural language output. 
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8 An Example: Insertion Sort 



As a small, but non-trivial, example where GF and many features of Alfa are 
used together, we show some fragments from a correctness proof of a sorting 
algorithm. 

We have defined insertion sort for lists of natural numbers in the typical 
functional programming style: 

insert {x € Nat,xs € [Nat]) e [Nat] 
insert [] = s [] 

insert x {x' : xs') s if x <= x^ then x s xs else x^ \ insert x xs' 
sort {xs € [Nat ] ) e [Nat] 
sort [] = [] 

5orf (at ! AS'’) s mserf AT (sorf ATS') 



The English translation of the definition of sort is 

Definition. Let xs be a list of natural numbers. Insertion 
sort applied to as is a list of natural numbers, depending on 
AS as follows: 

- for the empty list, choose the empty list, 

- for A : AS'’ , choose a inserted into insertion sort applied to 

AS^ 



As a specification of the sorting problem, we use the following: 
SortSpec {xs,ys e [Nat]) € Set 
SortSpec xs ys s xs ~ys a IsSorted ys 



We have chosen “ys is a sorted version of xs” as the English translation of 
SortSpec xs ys. The body of SortSpec translates to “ys is a permutation of xs 
and ys is sorted” . 

After proving some properties about permutations and the insert function, 
we can fairly easily construct the correctness proof for sort by induction on the 
list to be sorted. The proof is shown in natural deduction style in Figure 3. 

The same proof can also be viewed in English. The beginning of it is:® 

The correctness proof for insertion sort. Let as be a list of 
natural numbers. Insertion sort applied to as is a sorted 
version of as . 

Proof. Use the element depending on as as follows: - for 
the empty list, choose the result of the following procedure: 
first, insertion sort applied to the empty list is a 
permutation of the empty list; the empty list is a 
permutation of itself. Second, insertion sort applied to the 
empty list is sorted; trivial, 

- for A : AS'’ , choose the result of the following procedure: 

Using the above proof, we can easily prove the proposition 

Vxs e [Nat ] . 3ys e [Nat] .SortSpec xs ys 

The English translation of the proof is: 



We omit the rest of the proof for the time being. Some fine tuning is needed to make 
the text look really nice. 
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ThSortlsCorrect (x5 e [ Nat ]) e SortSpec xs (_sort xs) 
TkPtrmNil 



ThSortlsCorrect [] s [] sort [] 



SortSpec [] {sort []) 



IsSorted {sort []) 



ThSortlsCorrect (x : x^' ) = 



indhyp e SortSpec xs’ {sort xs') 
indhyp = ThSortlsCorrect xs’ 
lemma! {h e xs' sort xs') e x : xs' sort (x : xs ' ) 

lemma! h = 



xs' sort xs' 

X : xs' X : sort xs' 



X : sort xs’ sort (x ; x^') 



SortSpec xs' {sort xs') 



X : xs’ sort (x : xs’ ) 

xs’ sc 

.Wte x:x.-~.ort(x=x.-) 



- ThPer?nTrvins 



xs’ sort xs’ , ^ IsSorted {sort xs') , 

Ummei , ^ 7-7 7 77^ Thinsert 



IsSorted {sort (x ; xj")) 



SortSpec (x ; xg") {sort (x ; xj")) 



SortSpec (x ; xs') {sort (x : xs')) 



Fig. 3. The correctness proof for insertion sort. See section 8. 

The specification SortSpec xs ys is defined to mean that ys is a permutation of xs, 
denoted xs ~ ys, and ys is sorted, denoted IsSorted ys. 



A sorting theorem, For every list of natural numbers xs , 
there exists a list of natural numbers ys such that ys is a 
sorted version of xs . 

Proof. Let jrs be an arbitrary list of natural numbers. Let 
ys be insertion sort applied to xs . We know that ys is a 
sorted version of xs , since we can use the correctness 
proof for insertion sort, We conclude that, for every list of 
natural numbers xs , there exists a list of natural numbers 
ys such that ys is a sorted version of xs . QED 



9 Conclusion 

While Alfa dates back to 1995 and GF to 1998, the work on GF-Alfa only started 
at the end of 1999. It has been encouraging that the overall concept of integrating 
GF and Alfa works. Moreover, there is nothing particular to Alfa that makes 
this type of interface work; an earlier interface with the same architecture (i.e. 
core grammar + syntactic annotations) was built for the completely different 
formalism of extended regular expressions [19]. Similar lessons can be learnt 
from both systems: 

— Formal structures can be mapped to natural-language structures so that 
arbitrarily complex expressions always give grammatically correct results. 
Thus it is possible to translate from formal to natural languages. 

— Gomplex expressions are harder to understand in natural than in formal 
languages. Thus it is important to structure the code and break it into small 
units (such as lemmas), in order for the resulting text to be readable. 

— It is useful to define equivalent variants of formal objects and equip them 
with different linearization rules. In this way stylistic variation can be in- 
cluded in the text. Linearization rules can also implement different degrees 
of information hiding. 



An Extensible Proof Text Editor 



83 



— Natural-language input is only useful for small expressions, since entering a 
long expression runs the risk of falling outside the grammar. 

~ The interactive construction of a formal object is helped by a simultaneous 
view of the object as informal text. 

— Ambiguities need not be forbidden in natural language, since they can be 
handled by interaction. Moreover, syntactic ambiguities are often automati- 
cally resolved by type checking. 

The technique of improving the style of generated texts by syntactic annotations 
is interactive rather than automatic. Thus it fits well in the concept of interactive 
proof editors. This does not exclude the possibility of automatic text optimiza- 
tions, e.g. factorizing parts of texts into shared parts (cf. [9]). The preferable 
place of such operations is on the level of abstract syntax, from where they are 
propagated to all target languages. Language-specific optimizations would cer- 
tainly enable more elegant texts to be produced, but they would at the same 
time reduce the extensibility of the system. 
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Abstract. We propose a new tactic language for the system Coq, which 
is intended to enrich the current tactic combinators (tacticals). This lan- 
guage is based on a functional core with recursors and matching oper- 
ators for Coq terms but also for proof contexts. It can be used directly 
in proof scripts or in toplevel definitions (tactic definitions). We show 
that the implementation of this language involves considerable changes 
in the interpretation of proof scripts, essentially due to the matching op- 
erators. We give some examples which solve small proof parts locally and 
some others which deal with non-trivial problems. Finally, we discuss the 
status of this meta-language with respect to the Coq language and the 
implementation language of Coq. 



1 Introduction 

In a proofs system, we can generally distinguish between two kinds of languages: 
a proof language, which corresponds to basic or more elaborate primitives and 
a tactic language, which allows the user to write his/her own proof schemes. 
In this paper, we do not deal with the first kind of language which has been 
already extensively studied by, for example, John Harrison in a comparative 
way ([7]), Don Syme with a declarative prover ([11]) and Yann Coscoy with a 
“natural” translation of proofs ([2]). Here, we focus on the tactic language which 
is essentially the criterion for assessing the power of automation of a system (to 
be distinguished from automation which is related to provided tactics) . In some 
systems, the tactic language does not exist and the automation has to be quite 
powerful to compensate for this lack. For example, this is the case for PVS ([10]) 
where nothing is given to extend the system. Also, Mizar ([12]), one of the oldest 
provers, is based on a unique tactic by and it is impossible to automate some 
parts of the proofs or more generally, some logic theories. 

The tactic language must be Turing-complete, which is to say that we must 
be able to build proof strategies without any limitation imposed by the language 
itself. Indeed, in general, this language is nothing other than the implementation 
language of the prover. The choice of such a language has several consequences 
that must be taken into account: 
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— the prover developers have to provide the means to prevent possible incon- 
sistencies arising from user tactics. This can be done in various ways. For 
example, in LCF ([6]) and in HOL ([5]), this is done by means of an abstract 
data type and only operations (which are supposed to be safe) given by this 
type can be used. In Coq ([!]), the tactics are not constrained, it is the type- 
checker which, as a Cerberus, verifies that the term, built by the tactic, is of 
the theorem type we want to prove. 

— the user has to learn another language which is, in general, quite different 
from the proof language. So, it is important to consider how much time the 
user is ready to spend on this task which may be rather difficult or at least, 
tedious. 

— the language must have a complete debugger because finding errors in tactic 
code is much harder than in proof scripts developed in the proof language, 
where the system is supposed to assist in locating errors. 

— the proof system must have a clear and a well documented code, especially 
for the proof machine part. The user must be able to easily and quickly 
identify the necessary primitives or he/she could easily get lost in all the 
files and simply give up. 

Thus, we can notice that writing tactics in a full programmable language 
involves many constraints for developers and more especially for users. In fact, 
we must recognize that the procedure is not really easy but we have no alternative 
if we want to avoid restrictions on tactics. However, we can wonder if this method 
is suitable for every case. For example, if we want a tactic which can solve linear 
equations on an Abelian field, it seems to be a non-trivial problem which requires 
a complete programming language. But, now suppose that we want to show that 
the set of natural numbers has more than two elements. This can be expressed 
as follows: 



F (3a; : D\l.3y : DM.Vz : DM. a; = zV y = z) ^ T 

To show this lemma, we introduce the left-hand member of the conclusion 
(say H) and eliminate it, then we introduce the witness (say a) and the instan- 
tiated hypothesis H (say Ha), finally, we eliminate Ha to introduce the second 
witness (say b) and the instantiation of Ha (say Ht). At this point, we have the 
following sequent: 



..., iJfc : Vz : DM.a = 2 V 6 = z F T 

It remains to eliminate Hh with any three natural numbers (say 0, 1 and 2). 
Finally, we have three equalities (that we introduce) with a or 6 as the left- 
hand member and 0, 1 or 2 as the right-hand member. To conclude in each 
case, it is simply necessary to apply the transitivity of the equality between two 
equations with the same left-hand member, then we obtain an equality between 
two distinct natural numbers which validates the contradiction (depending on 
the prover, this last step must be detailled or not). 
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Of course, the length of this proof depends on the automation of the prover 
used. For example, in PVS, it may be imagined that applying the lemma of 
transitivity is quite useless and assert would solve all the goals generated by the 
eliminations of Ht- In Coq, the proof would be done exactly in this way and we 
may want to automate the last part of the proof where we use the transitivity. 
Unfortunately, even if this automation seems to be quite easy to realize, the 
current tactic combinators (tacticals) are not powerful enough to make it. So, 
the user has two choices: to do the proof by hand or to write his/her own tactic, 
in Objective CamP ([8]), which will be used only for this lemma. 

Thus, it is clear that a large and complete programming language is not a 
good choice to automate small parts of proofs. This is essentially due to the fact 
that the interfacing is too heavy with respect to the result the user wants to 
obtain. Moreover, the need for small automations must not only be seen as a 
lack of automation of the prover because tactics are intended to solve general 
problems and sometimes, user problems are too specific to be covered by primi- 
tive tactics. Thus, it seems that there is a gap between the proof language and 
the language used for writing tactics. 

Here, we want to propose, in the context of Coq, the idea of an intermediate 
language, integrated in the prover and less powerful than the Turing-complete 
language for writing tactics, which is able to deal with small parts of proofs we 
may want to automate locally. This language is intended to be a kind of middle- 
way where it is possible to better enjoy both the usual language of Coq and some 
features of the full programmable language. 

2 Presentation of the Language 

2.1 Definition 

Currently, the only way to combine the primitive tactics is to use predefined 
operators called tacticals. These are listed in table 1. 

As seen previously, no tactical given in table 1 seems to be suitable for au- 
tomating our small proof. In fact, we would like to do some pattern matchings 
on terms and even better, on proof contexts. So, the idea is to provide a small 
functional core with recursion to have some high order structures and with pat- 
tern matching operators both for terms as well as for proof contexts to handle 
the proof process. The syntax of this language, we call Ctac, is given, using a 
BNF-like notation, by the entry expr in table 2, where the entries nat, ident, 
term and primitiveJtactic represent respectively the natural numbers, the au- 
thorized identificators, Coq’s terms and all the basic tactics. In term, there can 
be specific variables like ?n, where n is a nat or ?, which are metavariables for 
pattern matching. ?n allows us to keep instantiations and to make constraints 
whereas ? shows that we are not interested in what will be matched. We can 
also use this language in toplevel definitions (Tactic Definition) for later calls. 

^ This is the implementation language of Coq. 
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taci ;tac2 


Applies taci and tac2 to all the subgoals 


tac;[taci|...|taci|...|tacn] 


Applies tac and taCi to the i-th subgoal 


taci Orelse tac2 


Applies taci or tac2 if taci fails 


Do n tac 


Applies tac n times 


Repeat tac 


Applies tac until it fails 


Try tac 


Applies tac and does not fail if tac fails 


First [taci|...|taci|...|tacn] 


Apply the first taCi which does not fail 


Solve [taci|...|taci|...|tac„] 


Apply the first taCi which solves 


Idtac 


Leaves the goal unchanged 


Fail 


Always fails 



Table 1. Coq’s tacticals 



2.2 Semantics 

We do not wish to give a formal semantic here. It is not our main aim and would 
be premature. We can just say that in the context of a reduction semantics (small 
steps), the interpretation is almost usual. This language can give expressions 
which are tactics (to apply to a goal) and others which represent terms, for 
example. Thus, we must evaluate the expressions in an optional environment 
which is a possible goal. This environment is used for Match Context which 
makes non-linear first order unification as well as Match. Match Context has a 
very specific behavior. It tries to match the goal with a pattern (hypotheses are 
on the left of |- and conclusion is on the right) and if the right-hand member 
is a tactic expression which fails then it tries another matching with the same 
pattern. This mechanism allows powerful backtrackings and we will discuss an 
example of use below. 

2.3 Typechecking 

This language is not yet typechecked; although this might be useful in the future 
for at least two reasons. First, we have some ambiguities which must be solved 
by syntactic means and a consequence is the presence of a quote to mark the 
application of Ltac (see table 2). Another reason for building a typechecker is 
that we want to detect statically the free variables in a proof script. Experience of 
proof maintainability shows that proofs are quite sensitive to naming conventions 
and the idea is mainly to watch the names of hypotheses. Thus, typechecking 
will be an interesting and original feature of the language and will allow robust 
scripts to be built. 

2.4 Implementation 

To implement Ctaa we had to make some choices regarding the existing code. 
First, we decided to keep an interpreted language. We are not really convinced 







A Tactic Language for the System Coq 



89 



expr 




expr ; expr 




”l 


expr ; [ (expr |^* expr ] 




1 


atom 


atom 




Fun input -fun'^ -> expr 




1 


Let (let-clause Andj* rec-clause In expr 




1 


Rec rec-clause 




1 


Rec (rec-clause Andj* rec-clause In expr 




1 


Match Context With (context-rule \)* eontext-rule 




1 


Match term With (match-rule \)* match-rule 




1 


'( expr ) 




1 


'( expr expr'^ ) 




1 


atom Orelse atom 




1 


Do (int 1 ident) atom 




1 


Repeat atom 




1 


Try atom 




1 


First [ (expr \)* expr ] 




1 


Solve [ (expr \)* expr ] 




1 


Idtac 




1 


Fail 




1 


primitive-tactic 




1 


arg 


input-fun 




ident 




1 


0 


let-clause 


::= 


ident = expr 


rec-clause 


::= 


ident input -fun'^ -> expr 


context -rule 


::= 


[ (context-hyps \)* contextjiyps |- term ] -> expr 






[ |- term ] -> expr 




1 


--> expr 


context-hyps 




ident : term 




1 


- : term 


match-rule 




[ term ] -> expr 




1 


--> expr 


arg 




0 




1 


nat 




1 


ident 




1 


term 



tac 



Table 2. Definition of C, 
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that we could save a significant amount of time in the execution of compiled 
scripts, in general run once, especially if we consider the cost of compilation time. 
Compared to the previous interpretation core^, we have made great changes in 
the main function which executes the tactics, by, for example, adding the new 
structures we saw previously (see table 2). Also, to be able to deal with substitu- 
tions coming from abstracted variables (Fun) and metavariables (Match Context, 
Match), we interpret the tactic arguments in the main function. The tactics now 
take already interpreted arguments rather than AST’s (Abstract Syntax Trees) 
coming from syntactical analysis. To be extendable, it is possible to dynamically 
associate interpretation functions to specific AST nodes. 

3 Examples 

A first natural example is the one we discussed in the introduction. We want 
to show that the set of natural numbers has more than two elements. With 
the current tactic language of Coq, the proof could look like the script given in 
table 3. As can be seen, after the three inductions (Elim), we have eight cases 
which can be solved by eight very similar instructions which are possibly different 
in the equality we cut and the term used to apply transitivity. As we know that 
this equality, say x=y, is such that there exist the equalities a=x and a=y in 
the hypotheses, it would be easy to automate this part provided that we can 
handle the proof context. This can be done by using Ltac and especially, the 
Match Context structure. Table 4 shows the corresponding script. We can notice 
that the proof is considerably shorter^ and this is increasingly true when we add 
cases (with three, four , ... elements). Moreover, the work is much less tedious 
than in the case of the proof by hand and the script can be written without the 
help of the interactive toplevel loop. This results in a proof style which is much 
more batch mode like. 

Another example, a little less trivial, is the problem of list permutation on 
closed lists. Indeed, we may be faced with this problem when we want to show 
that a list is sorted and it is quite annoying to do the proof by hand when we 
know it can be done automatically. To use Objective CamI® is certainly quite 
excessive compared to the difficulty of what we want to solve and Ctac seems to 
be much more appropriate. To do this, first, we define the permutation predicate 
as shown in table 5, where " represents the append operation on lists. Next, we 
can write naturally the tactic by using Ctac and the result can be seen in table 6. 
We can notice that we use two toplevel definitions PermutProve and Permut. 
The function to be called is PermutProve which is intended to solve goals of the 
form ...|-(permut II 12), where II and 12 are closed list expressions. PermutProve 
computes the lengths of the two lists and calls Permut with the length if the two 
lists have the same length. Permut works as expected. If the two lists are equal, it 

® Of the last release V6.3.1. 

^ In this respect, we can see that the non-linear pattern matching solves the problem 
in one pattern instead of two successive patterns. 

® This is the full programmable language to write tactics in Coq. 
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Lemma card.nat: ~(EX x:nat|(EX y:nat|(z:nat)(x=z)\/(y=z))). 
Proof. 

Red; Intro H. 

Elim H;lntros a Ha. 

Elim Ha;lntros b Hb. 

Elim (Hb (0));Elim (Hb (l));Elim (Hb (2));lntros. 

Cut (0)=(l);[Discriminate|Apply trans.equal with a;Auto]. 
Cut (0)=(l);[Discriminate|Apply trans.equal with a;Auto]. 
Cut (0)=(2);[DiscriminatejApply trans.equal with a;Auto]. 
Cut (l)=(2);[DiscriminatejApply trans.equal with b;Auto]. 
Cut (l)=(2);[DiscriminatejApply trans.equal with a;Auto]. 
Cut (0)=(2);[Discriminate|Apply trans.equal with b;Auto]. 
Cut (0)=(l);[Discriminate|Apply trans.equal with b;Auto]. 
Cut (0)=(l);[Discriminate|Apply trans.equal with b;Auto]. 
Save. 



Table 3. A proof on cardinality of natural numbers in Coq 



concludes. Otherwise, if the lists have identical first elements, it applies Permut 
on the tail of the lists. Finally, if the lists have different first elements, it puts the 
first element of one of the lists (here the second one which appears in the permut 
predicate) at the end if that is possible, i.e., if the new first element has been at 
this place previously. To verify that all rotations have been done for a list, we use 
the length of the list as an argument for Permut and this length is decremented 
for each rotation down to, but not including, 1 because for a list of length n, we 
can make exactly n — 1 rotations to generate at most n distinct lists. Here, it 
must be noticed that we use the natural numbers of Coq for the rotation counter. 
In table 2, we can see that it is possible to use usual natural numbers but they 
are only used as arguments for primitive tactics and they cannot be handled, 
in particular, we cannot make computations with them. So, a natural choice is 
to use Coq data structures so that Coq makes the computations (reductions) by 
Eval Compute in and we can get the terms back by Match. 

Beyond these small examples, we discovered that Ctac is much more powerful 
than might have been expected and, even if it was not our initial aim, this 
language can deal with non-trivial problems. For example, we coded a tactic to 
decide intuitionnistic propositional logic, based on the contraction-free sequent 
calculi UT* of Roy Dyckhoff ([4]). There was already a tactic called Tauto and 
written in Objective CamI by Cesar Munoz ([9]). We observed several significant 
differences. First, with Ctac, we obtained a drastic reduction in size with 40 lines 
of code compared with 2000 lines. This can be mainly explained by the complete 
backtracking provided by Match Context. Moreover, we were very surprised to get 
a considerable increase in performance which can reach 95% in some examples. In 
fact, this is understandable since Ctac is a proof-dedicated language and we can 
suppose that some algorithms (such as Dyckhoff’s) may be coded very naturally. 
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Lemma card.nat: ~(EX x:nat|(EX y:nat|(z:nat)(x=z)\/(y=z))). 

Proof. 

Red; Intro H. 

Elim H;lntros a Ha. 

Elim Ha;lntros b Hb. 

Elim (Hb (0));Elim (Hb (l));Elim (Hb (2));lntros; 

Match Context With 

[.:?1=?2;.:?1=?31-?] -> 

Cut ?2=?3;[Discriminate|Apply trans.equal with ?l;Auto]. 

Save. 



Table 4. A proof on cardinality of natural numbers using Ctac 



Section Sort. 

Variable A:Set. 

Inductive permut:(list A)->(list A)->Prop: = 
permut_refl:(l:(list A))(permut I I) 

|permut_cons: 

(a:A)(IO,ll:(list A))(permut 10 ll)->(permut (cons a 10) (cons a II)) 

|permut_append:(a:A)(l:(list A))(permut (cons a 1) (r(cons a (nil A)))) 
|permut_trans: 

(I0,ll,l2:(list A))(permut 10 ll)->(permut II l2)->(permut 10 12). 

End Sort. 



Table 5. Definition of the permutation predicate 



Finally, readibility has been greatly improved so that maintainability has been 
made much easier (even if there is no debugger for Ltac yet). 

We dealt with another important example which was to verify equalities 
between types and modulo isomorphisms. We chose to use the isomorphisms 
of the simply typed A-calculus with Cartesian product and unit type (see, for 
example, [3]). Again, the code, we wrote by using Ltaa was quite short (about 
80 lines with the axiomatization) and quite readable so that extensions to more 
elaborated A-calculi can be easily integrated. 

4 Conclusion 

We have presented a language {Ltac) which is intended to make a real link 
between the primitive tactics and the implementation language (Objective CamI) 
used to write large tactics. In particular, it deals with small parts of proofs that 
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Tactic Definition Permut n:= 

Match Context With 

[j-(permut ? ?1 ?!)] -> Apply permut_refl 
|[|-(permut ? (cons ?1 ?2) (cons ?1 ?3))] -> 

Let newn=Eval Compute in (length 12 ) 

In 

Apply permut_cons;'(Permut newn) 

|[|-(permut ?1 (cons ?2 ?3) ?4)] -> 

’(Match Eval Compute in n With 
[(!)] -> Fail 

l--> 

Let I0’=(?3''(cons ?2 (nil ?!))) 

In 

Apply (permut.trans ?1 (cons 12 ?3) 10’ ?4); 
[Apply permut_append| 

Compute;'(Permut (pred n))]). 

Tactic Definition PermutProve ():= 

Match Context With 

[j-(permut ? ?1 ?2)j -> 

’(Match Eval Compute in ((length ?l)=(length ?2)) With 
[?1=?1] -> ’(Permut ?!)). 



Table 6. Permutation tactic in Ltac 



are to be automated. It can be seen that this language has some interesting 
features: 

— it is in the toplevel of Coq. We do not need a compiler or any specification 
of the implementation of Coq to write tactics in this language. Moreover, to 
learn this small language would be certainly easier than tackling the manual 
of the implementation language. Of course, these remarks must be considered 
with regard to small tactics. 

— the code length is, in general, quite short compared to the same proofs made 
by hand (see tables 3 and 4) and, even when solving non-trivial problems, 
we still have reductions in size, which are sometimes very impressive (as in 
the case of Tauto seen previously). Thus, the scripts are more compact and 
much simpler. 

— the scripts are more readable. This is already the case with small proofs but 
even more so with large tactics (as with Tauto again). 

— the scripts are more maintainable, as a direct consequence of the increase in 
readibility. 

It is important to carefully define the scope of Ctac compared to Objec- 
tive Caml. We must not be tempted to enrich Ctac too much in order to write 
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tactics which are more and more complex. Even if we can at present deal with 
some complex examples, this must be considered as a bonus and not as a goal. 
We must make sure that Coq does not draw too much upon Objective CamI and, 
for the moment, we think that Ctac is complete enough. However, we plan to 
enable Objective CamI to enjoy the advantages of £tac by a quotation or a syn- 
tax extension. With this system, we could use Ctac in Objective CamI like a true 
Application Programming Interface (API for short) with specific calls, as seen 
previously, so that we could write tactics more easily and without any limitation. 

From the user point of view, it could be a tricky problem to decide which 
language is the most appropriate to solve his/her problem. The user must know 
whether the problem in hand can be coded with Ctac- There is no general rule but 
we can identify several criteria by which Objective CamI must be used rather than 
Ctac- First, Ctac is not suitable for tactics which handle the environment. For 
example, searching the global context is only possible by using Objective CamI 
and certain functions of Coq’s code. Another indicator that Ctac is not suitable 
is the use of data structures. The more we use data structures, the more complex 
the problem is, as is the tactic to build. As shown previously with the example 
of list permutation (see tables 5 and 6), we can use data structures in Ctac by 
means of Coq’s data structures® which can be handled by Match (and possibly 
Match Context) and the number of data structures we need is a good indication 
of the difficulty of the tactic we want to write. Moreover, if you are concerned 
about performances, it is better to use Objective Caml’s data structures which 
are much more efficient than those of Coq. Finally, there are more libraries 
implementing usual data structures in Objective CamI than in Coq and this may 
be a decisive argument in some cases. Thus, in general, the use of data structures 
must be limited in Ctac and the user must make choices. For example, the use 
of natural numbers in the previous example concerning list permutation seems 
to be quite reasonable and we may consider that this is also the case for other 
data structures such as booleans or lists. 
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Abstract. Proof simplification eliminates unnecessary parts from a proof 
leaving only essential parts in a simplified proof. This paper gives a proof 
simplification procedure for model generation theorem proving and its 
applications to proof condensation, folding-up and completeness proofs 
for non-Horn magic sets. These indicate that proof simplification plays 
a useful role in theorem proving. 



1 Introduction 

A theorem prover for first-order logic called SATCHMO [13] was proposed by 
Manthey and Bry, which is based on model generation and effectively utilizes 
logic programming technologies. SATCHMO tries to construct models for a given 
clause set and determines its satisfiability. The model generation method main- 
tains a set of ground atoms called a model candidate, finds violated clauses that 
are not satisfied under the model candidate, extends it to satisfy them, and 
repeats the process until a model is found or all model candidates are rejected. 

Thus, we make use of model generation not only for model finding [4,16,8] 
but also refutation [7]. There are two types of redundancies in model generation: 
One is that the same subproof tree may be generated at several descendants 
after a case-splitting occurs. Another is caused by unnecessary model candidate 
extensions. 

Folding-up is a well known technique for eliminating duplicate subproofs in 
a tableaux framework [12]. In order to embed folding-up into model generation, 
we have to analyze dependency in a proof for extracting lemmas from proven 
subproofs. Lemmas are used for pruning other subproofs. Dependency analysis 
makes unnecessary parts visible because such parts are independent of essential 
parts in the proof. In other words, we can separate unnecessary parts from the 
proof according to dependency analysis. 

Identifying unnecessary parts and eliminating them are considered as proof 
simplification. The computational mechanism for their elimination is essentially 
the same as that for proof condensation [17] and level cut [2]. Considering this, 
we implement not only folding-up but also proof condensation by embedding one 
mechanism, i.e. proof simplification, into model generation. Proof simplification 
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can be achieved by computing “relevant atoms”, which contribute to closing 
subproof, during the proof. 

On the other hand, we developed a method called non-Horn magic sets 
(NHM) [7] to avoid unnecessary model candidate extensions. An ideal proof 
by the NHM method contains no unnecessary model candidate extension. A 
simplified proof agrees with the ideal, that is, it contains no unnecessary model 
candidate extensions. This implies that we can transform a proof by model gen- 
eration into one by the NHM method by modifying proof simplification. This 
transformation gives a new completeness proof for the NHM method in a syn- 
tactical way. 

The paper is organized as follows. In Section 2, we give a model generation 
procedure and in Section 3, we present a proof simplification procedure. From 
Section 4 to Section 6, we show a model generation procedure with proof conden- 
sation, a model generation procedure with proof condensation and folding-up, 
and a completeness proof of the NHM method by modifying the proof simpli- 
fication procedure. In Section 7, we evaluate effects of proof condensation and 
folding-up by proving problems taken from the TPTP problem library. 



2 Model Generation 

Throughout this paper, a clause ^Ai V ... V V Hi V ... V is represented 
in implicational form: Ai A . . . A A„ ^ Hi V ... V H^ where Ai (I < i < n) and 
Bj (1 < J < rn) are atoms; the left hand side of is said to be the antecedent] 
and the right hand side of the consequent. 

A clause is said to be positive if its antecedent is true (n = 0), and negative 
if its consequent is false {m = 0); otherwise it is mixed (n yf 0,m yf 0). A 
clause is said to be violated under a set M of ground atoms if with some ground 
substitution ct the following condition holds: Vf(l < i < n)Aia G M A Vj(l < 
j < m)Bja ^ M. 

A model generation proof procedure is sketched in Fig. 1. The procedure MG 
takes a partial interpretation Me (model candidate) and a set of clauses S to be 
proven, and builds an annotated (sub)proof-tree of S. An annotated proof-tree 
records which clauses are used for model extension or rejection. The annotation 
is used for proof simplification described in the next section. 

A leaf labeled with T tells us that a model of S has been found as a current 
model candidate. If every leaf of the constructed proof-tree is labeled with T, 
S is unsatisfiable; otherwise S is satisfiable. In the latter case, at least one leaf 
is labeled with T or at least one branch grows infinitely. In this paper, we deal 
with only finite proof trees for simplicity. 

A normal proof-tree is obtained from an annotated proof-tree by removing 
the annotations. Conversely, an annotated proof-tree is obtained from a nor- 
mal proof-tree by adding annotations to the normal proof-tree. In this way, we 
consider that an annotated proof-tree is equivalent to its corresponding normal 
proof-tree. Therefore, we use proof-tree to refer to either annotated or normal 
proof-trees where confusion does not arise. 
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procedure MGTP{S) : AP; /* Input(S'):Clause set, 

Output (AP): Annotated proof-tree of S */ 

return(MG(0, S')); 

procedure MG{Mc, S) : AP;j* Input(Mc); Model candidate */ 

1. (Model rejection) If a negative clause {Ax A . . . A ^ false) G S is 
violated under Me with a ground substitution a, 

return Aia A ... A A„cr) 

2. (Model extension) If a positive or mixed clause {Ai A . . . A ^ Pi V 
... V Bm) G S is violated under Me with a ground substitution a, 
return an annotated proof-tree in the form depicted in Fig. 2 where APt = 
MG{Mc U {Bia}, S) {1 < i < m). 

3. (Model finding) If neither I nor 2 is applicable, return (T)0); 



Fig. 1. Model generation procedure 



Aia A ... A Anc) 




Fig. 2. Model extension 



Example 1. Consider the set of clauses SI: 

G1 : true ^ r d \ r ^ p\J c\J d C5 : p ^ false 

G2 ■. r ^ aV b C-i ■. r ^ p\J q C6 : q ^ false 

Fig. 3 (a) shows an annotated proof-tree of SI and Fig. 3 (b) shows a normal 
proof-tree of SI. 

Example 2. Consider the set of clauses S2: 

Cl : true ^ ty p C3 : q ^ r C5 : t ^ p 

C2 : p ^ qV s G4 : s ^ r C6 : p A r ^ false 

Fig. 4 (a) shows an annotated proof-tree of S2 and Fig. 4 (b) shows a normal 
proof-tree of S2. 



3 Proof Simplification 

In order to eliminate unnecessary model extensions from a proof-tree P, we have 
to make a decision which model extension can be eliminated. Relevant atoms 
and relevant model extensions as defined below provide a criterion for making 
the decision. 
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Fig. 3. Proof-trees of S'! 
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(a) An annotated proof-tree 



(b) A normal proof-tree 



Fig. 4. Proof-trees of S2 



Definition 1 (Relevant atom). Let AP he an annotated finite (sub) proof -tree. 
A set Rel{AP) of relevant atoms of AP is defined as follows: 

1. If AP = (j_, Aia A ... A Ano), then Rel{AP) = {Aia, . . . , 

2. If AP = (1,0), then Rel{AP) = 0. 

3. If AP is in the form depicted in Fig. 2 and 

(a) Vf(l <i< m)Bia € RefiAPf), then 

Rel{AP) = UZi{Rel{AR) \ {B,a}) U {Aia, . . . , A„a} 

(b) 3i(l < i < m)Bia ^ RefiAPf), then Rel{AP) = Rel{Pifi) (where iq is 
the minimal index^ satisfying 1 < zq < w and Big a ^ Rel(APig) ) 



^ We assume a fixed total order on indices. The order is also used by the proof 
simplification procedure shown in Fig. 5 and the proof-tree transformation shown in 
Fig. 11. 
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procedure simplify{AP) : NP\ /* Input(AP): Annotated proof-tree, 
Output (A^P): Simplified normal proof-tree */ 

if AP = (j_, Aia A ... A A„a) then return j_; 

if AP = (t, 0) then return ; 

if AP is in the form depicted in Fig. 2 then 

if Vi(l < i < m)Bia £ Rel(APi) or 3i(l <i< m){APi contains T) then 




/* relevant model extension */ 



where NPi = siniplify{APi){i = 1, . . . , m) 
else return NPig-, /* irrelevant model extension */ 

where NPig = simplify{APig) and io is the minimal index 
satisfying 1 < io < m and Big a ^ Rel(APig) 



Fig. 5. Proof simplification procedure 



Informally, relevant atoms of a (sub)proof-tree P are atoms which contribute 
to building P and appear as ancestors of P if P does not contain T. If P contains 
T, the set of relevant atoms of P is 0. 

Definition 2 (Relevant model extension). A model extension by a clause 
Ai(t/\. . ./\AnO PicrV. . .y Bm<J is relevant to the proof if the model extension 
yields the (sub) proof -tree in the form depicted is Fig. 2 and either Vf(l < i < 
m)Bia G Rel(APi) or 3z(l < i < m){APi contains T) holds. 

We can eliminate irrelevant model extensions. Let AP be an annotated 
(sub)proof-tree in the form depicted in Fig. 2. If there exists a subproof-tree 
APi (1 < z < to) such that Bia ^ Rel(APi) and APi does not contain T, we can 
conclude that the model extension forming the root of AP is unnecessary because 
Bicy does not contribute to APi. Therefore, we can delete other subproof-trees 
^Pj{^ ^ j ^ fti,j i) and take NPi to be a simplified proof-tree of AP where 
NPi is a simplified proof-tree of APi. When AP contains T, we consider that 
the model extension forming the root of AP is necessary from a model finding 
point of view. 

Fig. 5 shows a proof simplification procedure which eliminates irrelevant 
model extensions. The procedure simplify takes an annotated proof-tree and 
returns a simplified normal proof-tree. 

Example 3. Let AP$^ be the annotated proof-tree shown in Fig. 3 (a). Fig. 6 
shows the simplification process for AP$^. Both (a) and (b) show applications 
of simplify to two leaves in APs^ , while (c) and (d) show sets of relevant atoms 
of these leaves. According to these two results, the model extension for 

the bottom left subproof-tree is relevant to the proof. So, the subproof-tree is 
not simplified as (e) indicates. 





Proof Simplification for Model Generation and Its Applications 101 



On the other hand, (f) says that the set of relevant atoms of the subproof- 
tree under c does not contain the atom c. This implies that the model extension 
outer subproof-tree is irrelevant to the proof. Therefore, 
it is simplified as (g) indicates. Similarly, we conclude that the model extension 
is also irrelevant to the proof. Finally, we obtain the simplified proof-tree 
shown in (h). 

On the other hand, the annotated proof-tree APs^ shown in Fig. 4 (a) con- 
tains no irrelevant model extensions, so, APs 2 is not simplified by simplify. 



simplify{{±,p)) = j_ 
(a) 

ReliiLp)) = {p} 
(c) 



simplify{{^,q)) = j_ 

(b) 

Rel{{\_,q)) = {<?} 

(d) 



simplify 




simplify 






Fig. 6. Proof simplification process for 



4 Application to Proof Condensation 

Performing proof simplification during the proof, instead of after the proof has 
been completed, makes the model generation procedure more efficient. The pro- 
cedure MG simp in Fig- 7 realizes this idea. MG simp is a combination of the MG 
in Fig. 1 and Definition 1. MG simp returns a normal proof-tree NP and a set 
RA of relevant atoms. MG simp builds the proof-tree in a left-first manner. 

Bid ^ RAi for some i{l < i < m) means that the atom Bid does not 
contribute to the proof NPi. That is, the model extension does not contribute 
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procedure MGsimp{Mc, S) : {NP,RA)-, 

/* Output(A^P): Normal proof-tree, Output(RA): Set of relevant atoms */ 

1. (Model rejection) If a negative danse {A\ A ... A An false) € S' is violated 
under Me with a ground snbstitution a, return {Aia, . . . , d„cr}); 

2. (Model extension) If a positive or mixed clause (diA. . .Ad„ ^ V. . .\/Bm) £ S 
is violated under Me with a ground substitution a, 

for (i = 1; i < m; i -I- -b) { 

{NPi,RAi) = MGsin.p{Me^{Bia},S)-, 

if BiG ^ RAi and NPi does not contains T then /* irrelevant */ 
return {NPi, RAi}-, /* proof condensation */ 

} 

if 3i(l < i < m){NPi contains T) then RA = 0 
else RA = U™ i {RAi \ {Bia}) U {dicr, . . . , d„cr}; 




3. (Model finding) If neither 1 nor 2 is applicable, return (Ti0)i 



Fig. 7. Model generation procedure with proof condensation 



to the proof NPi. Therefore the proofs MG' {MeU {Bj(j},S){i < j < m) can 
be ignored. Thus m — i among m branches are eliminated after i branches have 
been explored. The model generation with proof simplification is essentially the 
same as the proof condensation in the HARP prover [17] and the level cut in the 
Hyper Tableaux prover [2] . 

These provers keep a flag for each inner node of proof trees. The flag indicates 
whether the corresponding node N participates in a subproof below N. Initially, 
the flag of N is “ojff’ which means N does not participate in proof at all. The 
flag becomes “on” when the literal of N resolves away a complement literal in 
the subproof under N. If the flag remains ''off’ after the subproof below N is 
completed, we conclude that the extension step yielding N was unnecessary to 
obtain the subproof. Therefore, we can delete all open (unsolved) sibling nodes 
of N. Thus, the literal of a node with "on” flag is considered as “relevant” to 
the proof in our terminology. 

Example f. Fig. 8 shows model generation with proof condensation for the set 
S\ of clauses shown in Example 1. The mark x indicates a pruned branch. Model 
extensions are performed in the left-first manner as the figure indicates. The set 
of the relevant atoms of the inner subproof-tree under c is {r} as indicated in 
Fig. 6 (f) . This implies that the model extension --j- — is irrelevant to the 

proof. Therefore, the proof under d is pruned. In a similar way, the exploration 
under b is eliminated. Thus, we obtain a proof-tree which has 6 inner nodes and 
3 leaves. 
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Fig. 8. Eliminating irrelevant model extensions 



5 Application to Folding-up 

We make use of a set of relevant atoms not only for proof condensation but also 
to generate a lemma. The following theorem reveals an useful aspect of a set of 
relevant atoms. 

Theorem 1. Let S be a set of clauses, Me be a set of ground atoms and AP = 
MG{Mc, S). If all leaves in AP are labeled with _L, i.e. AP does not contain T , 
then S U Rel(AP) is unsatisfiable. 

Proof. By structural induction on AP. 

If AP = AicrA. . .AA„(t) and (Ai A. . .AA„ — > false) (e S) is the negative 
clause used for the model rejection, then Rel{AP) = {A\a, . . . , A„(t}. Obviously, 
{Ai A ... A An ^ false} U Rel{AP) is unsatisfiable. Therefore, S U Rel{AP) is 
unsatisfiable because {Ai A ... A An ^ false} C S. 

If AP is in the form depicted in Fig. 2 and {Ai A . . . A ^ V . . . V Bm) (G 
S) is the clause used for the model extension. By the induction hypothesis, 
S U Rel{APi){i = l,...,m) is unsatisfiable. We have two cases: The model 
extension is irrelevant or relevant. In the former case, 3i(l < i < m){Rel{AP) = 
Rel(APi)). Therefore S U Rel(AP) is unsatisfiable. 

In the latter case, we assume S U Rel{AP) is satisfiable. Then, there exists 
a model M of S' U Rel(AP). It follows from Vz(l <i< n)(Acr S Rel{AP)) that 
Vi(l < i < n){M ^ Aicr). Then, 3j(l < j < m){M \= Bjcr). This implies that 
S U Rel{AP) U {Bj^a} is satisfiable where jo is an index satisfying 1 < jo < w 
and M \= Bj^a. Here, Rel(AP) U {Bj^a} D Rel(APjg) and S U Rel(APjg) is 
unsatisfiable. Then, SURel{AP)U{Bjga} is unsatisfiable. This is a contradiction. 
Therefore, S U Rel{AP) is unsatisfiable. □ 

This theorem says that a set of relevant atoms can be considered as a lemma. 
Consider the model generation procedure shown in Fig. 1. Let Me be a current 
model candidate and AP be a subproof-tree which was previously obtained and 
does not contain T. If Me D Rel{AP) holds, we can reject Me without further 
proof because S' U Me is unsatisfiable where S is a clause set to be proven. This 
rejection mechanism, which is a variant of merging [20], can reduce search spaces 
by orders of magnitude. However, it is expensive to test whether Me D Rel{AP). 
Therefore, we restrict usage of the rejection mechanism. 
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Definition 3 (Context unit lemma). Let S be a set of clauses and AP be 
a (sub) proof -tree of S in the form depicted in Fig. 2. When Bid G Rel(APi), 
Rel(APi) \ {Bid} |=s -^Bid is called a context unit lemma? extracted from APi. 
We call Rel(APi) \ {Bid} the context of the lemma. 

Note that Bid G Rel(APi) implies Rel{APi) is not empty. Therefore, APi 
does not contain T. Thus, S Rel{APi) is unsatisfiable according to Theorem 1. 
We simply call a context unit lemma with empty context by an unit lemma. 

The context of the context unit lemma extracted from AP?! < i < m) is 
satisfied in model candidates of sibling proofs APj{j yf i, 1 < j < m), that is, the 
lemma is available in APj . Furthermore, the lemma can be lifted to the nearest 
ancestor’s node which does not satisfied the context (in other words, which is 
labeled with an atom in the context) and is available in its descendant’s proofs. 

Fig. 9 shows a model generation procedure which makes use of context unit 
lemmas. The procedure MGfup takes a model candidate Me, a, set of context 
unit lemmas UL[ and a set of clauses S to be proven. There is a guarantee that 
V(T \= L) G UL]{P C Me). That is, every lemma in ULj is available under Me. 
MGfup returns a normal (sub)proof-tree NP of S, a set of relevant atoms RA of 
NP and a set of context unit lemmas ULq which can be lifted to an ancestor’s 
node. Each lemma in ULq is extracted from a subproof-tree oi NP according 
to Definition 3. A leaf labeled with * indicates that a model candidate rejected 
by a lemma. This procedure is an implementation of folding-up [12] for model 
generation. The procedure also accomplishes proof condensation. 

Example 5. Fig. 10 shows model generation with folding-up for the set S 2 of 
clauses shown in Example 2. The set of the relevant atoms of the left inner 
subproof-tree under q is {p,q}. So, the context unit lemma {p} ^52 ^<7 is ex- 
tracted from the set. Similarly, we obtain context unit lemma {p} |=S 2 and 
0 ^P from the right inner subproof-tree under s and the outer subproof-tree 
under p, respectively. The latter lemma is lifted to the root node and the right 
subproof under p is pruned with it. Thus, a duplicate subproof is eliminated. 

There has been a lot of work on refinements for tableaux approaches in order 
to shorten proofs. Caching [1] is a modified method of lemmas for model elimina- 
tion calculus. Roughly speaking, cache is a complete database of all unit lemmas 
produced in past derivations. Merge path [3] is a generalization of folding-up. 
Merge path allows one to re-use proof trees whether they contain T or not, while 
folding-up does not allow one to re-use proof trees which contain T. However, 
merge path requires an extra mechanism in order to avoid endless derivations 
which happen even though it apply propositional calculus. 

So far little research has been carried out on combining proof condensation 
and lemma generation within a single framework such as computing relevant 
atoms. Iwanuma introduced lemma matching [9] which is a systematical treat- 
ment of lemma for model elimination calculus. In his work, a set of levels works 
as a set of relevant atoms. 

^ F |=s 1/ is an abbreviation of S' U F |= L where F is a set of ground literals, S is a 
set of clauses, and F is a literal. 
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procedure MGTPfup{S) : NP-, /* Input(S'):Clause set, 

Output(A'P):Normal proof-tree of S * j 
(NP,RA,UL) = MG/„p(0,0,S); return A^P; 

procedure MG f^p{Mc,ULi , S) : {NP, RA,ULo)\ 

j* Input(Mc): Model candidate, Input(17I//): Set of context unit lemmas, 
Output(PA): Set of relevant atoms. 

Output (17 I/O ): Set of context unit lemmas lifted * j 

1. (Model rejection) If a negative clause (Ai A ... A An —> false) £ S is violated 
under Me with a ground substitution a, return {j_, {Aia, . . . , A„cr}, 0); 

2. (Model extension) If a positive or mixed clause (AiA. . .AA„ —> Bi\/. . .\/Bm) £ S 
is violated under Me with a ground substitution a, 

for {i = l;i < m-,i + +) { 

if 3{P \=s -^Bia) £ ULi U \j)r\ UL{j then { 

NPi = Jt; RAi = P ; ULq = 0; /* applying a lemma to Bia * / 

} else { 

{NPi,RAi,ULlo) = MGfup{McU{Bia}, ULi u\J*~\UL^O’ S); 

/* filter out context unit lemmas which cannot to be lifted */ 

ULi, = ULi, \ {{P Ns -i) e ULi, I Bia £ P}- 

if (Bia £ RAi) then /* create a new context unit lemma */ 

ULi, = ULi, U {{RAi \ {Bia}) Ns -^Bia} 
elseif NPi does not contain T then /* irrelevant model extension */ 
return {N Pi, RAi,\J}^,U L^ q)\ /* proof condensation */ 

} 

} 

if 3i(l < i < m){NPi contains T) then RA = 0 
else RA = {RAi \ {Bia}) U {Aicr, . . . , Ana}-, 




3. (Model finding) If neither 1 nor 2 is applicable, return (“f, 0, 0); 



Fig. 9. Model generation procedure with folding-up and proof condensation 



/< 



I r 1 
. I ' I 

.J-J 



SP 


RA 


UL 


n 


p,q 


{p} Ns2 


1 1 


p,s 


{p} Ns2 -'S 


outer 


P 


0 Ns 2 “ip 



ULxontext unit lemma 



Fig. 10. Eliminating a duplicate proof 
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There are three forms of lemma matching. The first form unit lemma match- 
ing corresponds to an application of an unit lemma. The second form identical 
C -reduction corresponds to an application of a context unit lemma. The third 
form strong contraction has a similar effect as proof condensation^. 

6 Application to Completeness Proof for Breadth-First 
Non-Horn Magic Sets 

Model generation is forward reasoning in the sense that its proof begins with 
positive clauses (i.e. facts) and ends with negative clauses (i.e. goals). Non-Horn 
magic sets (NHM) were designed to enhance forward reasoning provers. The 
NHM method aims to select only violated clauses that yield relevant model 
extensions. It is worth noting that a simplified proof obtained by the proof 
simplification procedure has no irrelevant model extension, that is, every model 
extension in the proof is relevant. 

Considering this, we make a proof-tree transformation procedure that builds 
a proof-tree of the NHM method from that of model generation. The procedure 
is obtained by modifying the proof simplification procedure. The transformation 
procedure gives a syntactic proof of completeness of the NHM method. 

There are two versions of the NHM method: the breadth-first NHM and 
depth-first NHM. In this paper, we consider only the former version, while both 
versions are considered in [11]. 



6.1 Breadth-first NHM Transformation Method 

Let S' be a set of clauses. We introduce a meta- logical predicate goal /I which 
takes an atom in S as its argument. The literal goal{A) means that an atom A 
is relevant to the goal and is necessary to be solved. 

Definition 4 (Breadth-first NHM 'Transformation). The breadth-first NHM 
transformation is defined as follows. A clause Hi A ... A H„ ^ Hi V ... V Bm in 
S is transformed into two clauses: 

Tg : goal{Bi) A ... A goal{Bm) goal{Ai) A ... A goal(An). 

Tg : goal{Bi) A ... A goal{Bm) A Hi A ... A H„ ^ Hi V ... V Bm. 

Although has a conjunction ofn atoms goal{Ai)A. . .Agoal(An) in the conse- 
quent, we identify with n clauses goal{Bi) A . . . A goal(Bm) goafiAf) (1 < 
i <n). 

® Note that proof condensation is not applicable to model elimination calcnlns straight- 
forwardly, because every extension of model elimination calcnlns is relevant to the 
proof in our sense. This is because every literal in a chain (a proof tree)becomes H- 
literal, which resolves away its complement literal of an inpnt clause, or participates 
in reduction operation. 
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In this transformation, for n = 0 (a positive clause), the first transformed 
clause Tg is omitted. For m = 0 (a negative clause), the conjunction of goal{Bi)A 
. . . A goal{Bfn) becomes true. For n ^ 0, two clauses Tg and are obtained 
by the transformation. Tg is a clause simulating backward reasoning, and Tg is 
a clause for forward reasoning that implements relevancy testing. 

A set of transformed clauses obtained from S by the breadth-first NHM 
transformation is denoted by Tb{S). Tb{S) is separated into Tg{S) and Tg{S). 
The breadth- first NHM method checks the satisfiability of Tb(S') instead of the 
original clause set S. 

Example 6. Consider the clause set S'! described in Example 1. The NHM- 
transformed clause set Tb{S1) is as follows: 

1.2 goal{r) — > r 

2.1 goal{a) A goal{b) goal{r) 2.2 goal{a) A goal{b) A r ^ a V 6 

3.1 goal{p) A goal{c) A goal{d) goal{r) 

3.2 goal{p) A goal{c) A goal{d) Ar^pVcVd 

4.1 goal{p) A goal{q) goal{r) 4.2 goal{p) A goal{q) Ar ^ p\J q 

5.1 true goal{p) 5.2 p false 

6.1 true goal{q) 6.2 q false 

6.2 Completeness of the breadth-first NHM method 

Theorem 2 (Completeness of the breadth-first NHM). If a set S of 

clauses is unsatisfiable, thenTB^S) is unsatisfiable. 

The paper [7] gives a semantical proof for the completeness of the NHM 
method. On the other hand, the present paper gives a syntactical argument. 
In other words, we give a proof-tree transformation procedure, which maps a 
proof-tree of a clause set S to that of the breadth-first NHM transformed clause 
set Tb{S), by modifying the proof simplification procedure. In this proof, we 
assume the soundness and completeness of the model generation method [13,4]. 

Theorem 3 (Completeness of Model Generation). If a set S of clauses is 
unsatisfiable, then S has a finite proof-tree every leaf of which is labeled with T. 

Theorem 4 (Soundness of Model Generation). Let S be a set of clauses. 
If S has a finite proof-tree every leaf of which is labeled with T, then S is unsat- 
isfiable. 

Assuming that a set S of clauses is unsatisfiable, by the completeness of 
model generation, S has a finite proof-tree every leaf of which is labeled with T. 
According to the proof-tree transformation procedure described in this section, 
we can build a finite proof-tree for Tb{S) every leaf of which is labeled with T. 
Therefore, we conclude that Tb{S) is unsatisfiable by the soundness of model 
generation. Thus, the completeness of the breadth-first NHM is proved. 

In the following, we assume that a proof-tree to be transformed is finite and 
all its leaves are labeled with T. 
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Fig. 11. Proof-tree transformation for the breadth-first NHM: ToPt^ 



Fig. 11 shows a proof-tree transformation procedure that maps an annotated 
proof-tree AP of a clause set S to an normal proof-tree of Tb{S). The main 
part of the procedure is ToPtb^ that takes AP and returns a pair of normal 
proof-trees: BP is a bottom-up proof part for Tb{S) and TP is a, top-down proof 

part. The concatenation iV forms a proof-tree of Tb{S). Note that TP always 

BP 

has one branch. 

The procedure ToPtb^ deals with the proof-tree AP according to the form 
of AP: 

1. When AP is formed by model rejection (Fig. 11 (1)): 

Return a pair of {BP, TP). Here, BP represents a subproof-tree built by 
model rejection with a T^ clause {Aia A ... A H„(t ^ false) and TP rep- 
resents a subproof-tree built by model extension with a clause {true —> 
goal{Aia) A ... A goal{An(j)). 

2. When AP is formed by model extension (Fig. 11 (2)): 

If the model extension is relevant to the proof, return a pair of {BP, TP). 
Here, BP represents a subproof-tree built by model extension with a T^ 
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clause (goal{Bia) A ... A goal{BmCr) A Aia A ... A A„cr ^ Bia V ... V Bm(j) 
and TP represents a subproof-tree built by model extension with a Tg clause 
{goal(Bia) A ... A goal{Bm<j) goal{Aia) A ... A goal(Ana)). 

On the other hand, if the model extension is irrelevant to the proof, return 
{TPi^j, BPig) which is the value of ToPtbO{Pio) where zq satisfies 1 < zo < w 
and goal{Bigu) ^ TPig, so as to remove the model extension from the proof- 
tree. 

In order to show that the transformed tree Tt(= ToPtb(AP)) is a proof- 

BP 

tree of Tb{S), we prove in the paper [11] that each model extension/rejection in 
TP and BP satisfies its applicability conditions. 



Example 1. Let AP$^ be the annotated proof-tree shown in Fig. 3 (a). Fig. 12 
shows a transformation process for APs^ ■ Note that model extensions 

d are irrelevant, while model extensions f and sxe relevant. 

(1) shows a partial value of ToPtbO{APsi) where APg^ be a subproof-tree 
below r. The model extension remains after the transformation. (2) and (3) 
indicate that model extensions eliminated by the 

transformation . 

(4) and (5) show transformations for leaves in APs^ ■ Using these two trans- 
formations, the transformation for the bottom left subproof-tree is obtained as 
shown in (6). From (1), (3) and (6), we obtain ToPtbO(^-Psi) shown in (7). 
Finally, we obtain a normal proof-tree of Tb{S1), which is an concatenation of 
the BP part and the TP part of ToPtbQ(APs^). 



7 Experimental Results 

We have implemented a model generation theorem prover with proof conden- 
sation and folding-up. This prover is written in KLIC [5] version 3.003. KLIC 
programs are compiled into C programs. 

We select all non-Horn problems (1984 problems) in the TPTP library [19] 
version 2.3.0. The problems were run on a SUN Ultra 60 (450MHz, 1GB, So- 
laris2.7) workstation with a time limit of 10 minutes and a space limit of 256MB. 

Table 1 shows the number of problems solved by model generation with- 
out and with proof condensation and folding-up, and SPASS (version 1.0.3) 
prover^ [21]. In the table, “-I-” indicates that the corresponding method is used, 
indicates that it is not used. For example, the column (3) shows the num- 
ber of problems solved by model generation with folding-up and without proof 
condensation. 

The number of problems solved has increased by 34 in case of using only proof 
condensation (the column (2)), while it has increased by 14 in case of using only 
folding-up (the column (3)). According to our experiments, there are many cases 
where pruning effect of proof condensation is stronger than that of folding-up. 

^ We used the tptp2X utility [19] with options “-q2 -fdfg -t rm_equality:rstfp” 
to get SPASS formats from TPTP formats. SPASS ran in automatic mode. 
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Table 1. Number of problems solved (of 1984 non-Horn problems) 





(1) 


(2) 


(3) 


(4) 


S 


folding-up 


- 


- 


+ 


-b 


PA 


proof condensation 


- 


-b 


- 


-b 


SS 


Number 


305 


339 


319 


385 


834 


(Percentage) 


(15.4) 


(17.1)1 


(16.1)1 


(19.4) 


(42.0) 



Table 2. Performance comparison 





(1) 


(2) 


(3) 


(4) 


S 


folding-up 


- 


- 


-b 


+ 


PA 


proof condensation 


- 


-b 


- 


+ 


SS 


Cl V008- 1.002 


T.O. 


0.11 


0.41 


0.11 


2.50 


unsatisfiable 




196 


1335 


195 


1784 


GEO013-3 


T.O. 


T.O. 


T.O. 


76.31 


31.15 


unsatisfiable 








478 


5049 


GEO033-3 


T.O. 


1.19 


T.O. 


1.19 


T.O. 


unsatisfiable 




140 




140 




GEO051-3 


T.O. 


110.95 


T.O. 


111.02 


16.89 


unsatisfiable 




433 




392 


2625 


KRS013-1 


T.O. 


0.02 


T.O. 


0.01 


0.03 


unsatisfiable 




106 




77 


72 


MSC007-2.005 


48.49 


4.18 


35.61 


2.63 


257.93 


unsatisfiable 


170875 


9827 


110093 


6180 


6927 


PRV009-1 


379.25 


0.71 


0.63 


0.72 


0.01 


unsatisfiable 


7382541 


58 


685 


56 


15 


PUZOlO-1 


T.O. 


185.90 


T.O. 


18.15 


211.79 


unsatisfiable 




925562 




69024 


453324 


PUZ018-2 


T.O. 


5.08 


T.O. 


4.14 


T.O. 


satisfiable 




735 




371 




SYN437-1 


T.O. 


T.O. 


T.O. 


367.42 


515.12 


satisfiable 








6556 


1006266 


SYN443-1 


T.O. 


T.O. 


27.86 


6.89 


17.85 


unsatisfiable 






21523 


4246 


52659 


SYN447-1 


T.O. 


T.O. 


T.O. 


214.02 


329.47 


unsatisfiable 








71659 


334102 


SYN511-1 


T.O. 


T.O. 


385.59 


8.62 


21.71 


unsatisfiable 






109990 


2961 


52513 



top: time (sec) 
bottom: 



No. of nodes of proof tree ((1)~(4)) 
No. of kept clauses (SPASS) 

T.O.: Time out (> 600 sec) 
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I I 

ToPt^Q{APs,) = ToPtbO(( a ,true)) = ( A ,TP^,) (1) 



where {BPS^,TP^sJ = ToPt^0{APSJ. 
ToPtbO(APs^) = ToPtbO { p-'^q A ) { p-'^q A ) 

\ (l,p) (I,?) {Lp) / 



= ToPtbO { p^^^q 

, , I > ,1 



ToPtbO{{Lp)) = iLgoal{p)) 
ToPtbO{{L g)) = iLgoal{q)) 

ToPtbO { { pA^^'^q 







(3) 






(4) 






(5) 


, 1 1 5 

_L _L 


goal{p) 

1 

goal{q) ) 

1 


(6) 



5^ ) — ( I 15 goal{q 

{l,P) (1,9) / ^ ^ goalir 

I goal(p) 

ToPtbO(APsi) = , goal{q) ) 

I I I 

P P goal{r) 



Fig. 12. Proof-tree transformation process for APs^ 



This makes it clear that naive model generation performs many irrelevant model 
extensions. The combination of proof condensation and folding-up has a great 
effect on pruning search space. The number of problems solved has increased by 
80 to 385 (the column (4)), which is 19.4% of the TPTP non-Horn problems. 

Compared to SPASS solving 42.0%, this result does not seem to be good. It 
is considered that this comes from absences of unification® and builtin equality 
treatment in our system. 

Table 2 compares the proving performance on several typical problems. The 
integer of a bottom row is considered as showing search spaces required for proof. 
All problems exhibit proof condensation or folding-up effects. The entries of 
GE0033-3, GE0051-3, KRS013-1, MSC007-2 . 005, PUZOlO-1 and PUZ018-2 show 

® Recall that we use ground substitution a for model extensions. Therefore, unification 
is not required for model generation. 
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the pruning effect of proof condensation stronger than that of folding-up, while 
the entries of SYN443-1 and SYN511-1 show the reverse situation. 

The entries of GE0013-3, PUZOlO-1, SYN437-1, SYN443-1, SYN447-1 and 
SYN511-1 show the effect of the combination of proof condensation and folding- 
up. For GE0033-3, MSC007-2 . 005, PUZOlO-1 and PUZ018-2, model generation 
with proof condensation and folding-up overcomes SPASS. 

8 Conclusion 

We have given a proof simplification procedure which eliminates unnecessary 
parts from a proof so as to extract essential parts from the proof. Performing 
proof simplification during the proof, instead of after the proof has been com- 
pleted, is essentially the same as the proof condensation facility which has the 
ability to prevent irrelevant model extensions. We also have shown that a set of 
relevant atoms used for the proof simplification procedure can be considered as 
a lemma with which some duplicate subproofs may be eliminated. This way, we 
embed folding-up, which eliminates duplicate subproofs, into model generation 
by modifying the proof simplification procedure. 

The proof simplification procedure is considered as a proof transformation 
procedure that maps a proof containing unnecessary parts to another proof con- 
taining no unnecessary parts. This consideration gives a proof transformation 
procedure, which maps a proof of the model generation procedure to that of the 
NHM method, used for a completeness proof for the NHM method. Thus, proof 
simplification is a useful tool of theorem proving. 

Experimental results show that orders of magnitude speedup can be achieved 
for some problems. Nevertheless, state-of-the-art theorem provers such as SPASS 
and E6 overcome ours in terms of the number of problems solved. The future 
work thus includes embedding equality operation into model generation and 
studying a lifted version of this work. 
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Have Spass with OCCIN^ 



Christian G. Fermiiller and Georg Moser* 
Technische Universitat Wien, Austria 



Abstract. We prove that a particular superposition based inference op- 
erator decides a fragment of clause logic with equality, called OCCIN^ . 
We also show that the theorem prover Spass not only implements the cor- 
responding operator but also generates standard descriptions of unique 
term models for all satisfiable clause sets in OCClNj . 



1 Introduction 

Automated model building is a topical research field that extends and com- 
plements automated deduction. In a refutational context, its main task can be 
formulated as follows: 

— If a (sound and complete) theorem prover fails to refute a formula F, extract 
an adequate representation of a model for F from the information produced 
by the prover. 

Obviously, termination of the prover is a precondition for model building. There- 
fore one of the challenges here is to identify non-trivial syntactic classes of for- 
mulae for which the theorem prover in question terminates, i.e., represents a 
decision procedure. Results of this type for equality free clause logic, using reso- 
lution methods, are surveyed in [FLTZ93] and [FLHTOO]. In presence of (theory 
free) equality some interesting decidability proofs along this line are provided, 
e.g., in [BGW93], [FS93], [GD99]. Related results, concerning purely equational 
classes can be found in [JMW98,Nie96]. 

Building upon corresponding decidability results, the potential of hyperreso- 
lution as a model builder is explored in [FL93] and [FL96] . Some of these results 
are generalized in [FL98] to define an inference based model building proce- 
dure for a fragment of clause logic with equality.^ A related approach to model 
building, developed by R. Gaferra and his collaborators, in particular N. Peltier, 
consists in augmenting standard calculi for clause logic by additional rules and 

* The research described in this paper was partly supported by Austrian Resarch Fund 
(FWF) grant No. 14126-MAT 

^ N. Peltier (private communication) recently found a counter example to the claim 
of [FL98] that the particular inference operator used there terminates on the class 
PVDJ. (Fortunately, the decidability of the class in question has also been proved 
by other means in [RudOO]. The central part of [FL98] — namely the correctness 
of the suggested “backtracking free” model building procedure — seems not to be 
affected by the error.) 



M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 114-130, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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constraint handling mechanisms that facilitate the extraction of models during 
proof search (see, e.g., [CP96,Pel97]). 

Here we want to emphasize that the successful and easily accessible theorem 
prover Spass [WAB+99,Wei00] can be employed not only as a decision procedure 
but also as a model builder for large fragments of clause logic. To this aim we 
investigate a particular class of clause sets OCCIJVJ, that is an extension of an 
equality free class defined in [FL93] to clause logic with (ground) equalities. The 
decidability proof for OCCIN^ is rather involved. However, the main technical 
result is that Spass not only decides OCCIN^ , but also generates standard 
descriptions of unique models for all satisfiable inputs from this class. In fact, 
model building is almost “for free” here, due to the eager use of the splitting 
rule in Spass. 

It is not our main motivation to establish a decision and model building pro- 
cedure for yet another fragment of clause logic. We rather prefer to look at the 
results from a proof theoretic point of view. Giving syntactic criteria (on input 
formulas) that are sufficient for termination of proof search is a way of char- 
acterizing mathematically the “computational strength” of a calculus. In this 
sense the specific decidability result, together with the remarks on model build- 
ing, should be seen as mathematically substantiated evidence for the claim that 
Spass and its underlying superposition calculus as developed by L. Bachmair 
and H. Ganzinger are an impressively strong and flexible tool, indeed. 



2 Basic Notions 

We assume familiarity with clause logic; in particular its semantics. However we 
need to fix some terminology concerning syntax. 

Terms and atoms are defined as usual with respect to a given signature Sig 
of constant, function, and predicate symbols. Equalities are atoms involving the 
binary predicate interpreted as congruence and denoted in infix notation 
as usual. A clause C is written in form U ^ A, where U and A are multi-sets 
of atoms, n is called the negative and A the positive part of C. II' — > A' is a 
sub-clause of C if II C II' and A C A' . A literal L is an occurrence of an atom, 
either negative or positive, in a clause. We also write L, T for {L} U E, and A, E 
for A U T. 

It is convenient to view a term as a rooted and ordered tree, where the inner 
nodes are function symbols and the leaf nodes constants or variables. A position 
p in a term t is a sequence of edges in a path leading from the root to a node Up 
of t. By the depth of p, denoted by |p|, we mean the number of edges it consists 
of. The sub-term of t that has its root at Up is denoted as t\p. In writing t[s] 
we indicate the occurrence of a sub-term s in t and use t[s'] to denote the term 
resulting from t by replacing the indicated occurrence of s by s' . These definitions 
also apply to atoms (i.e. atoms are considered as trees with a predicate symbol 
as root). 

In the following let if be a term or an atom. The set of all variables occurring 
in E is denoted as vars(A). The depth of E is defined as t{E) = max{|p| : 
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E\p exists}. The maximal depth of occurrence of a sub-term s in if is defined as 
Tma.^{s,E) = max{|p| : E\p = s|. Similarly, Tmin(s,S) = min{|p| : E\p = sj. The 
maximal depth of variable occurrence in E is defined as t^{E) = max{|p| : E\p G 
vars(if)} if vars(if) yf 0 and t^{E) = —1 for ground expressions. 

These definitions are generalized to multi-sets of atoms and clauses in the 
obvious way. E.g., let C = {II ^ A) then t(C') = max{T(if) : if G 77 U Z\|. 
T+(C') = max{r(71) : E G A} refers to the positive literals of C only. To avoid 
undefined cases we define r(C') = — 1 if C is empty and t+(C') = —1 if Z\ is 
empty. Tmax(i, C'), C'), 7v(C), and T+(C') are defined analogously. 

For a set of clauses S, t{S) = max{r(C) : C G 5}. Tv(5), t+(5) and t+(5) 
are defined analogously. By a clause set we mean a finite set of clauses. 

An expression (i.e. a term, atom, multi-set of atoms or a clause) is called 
ground if no variable occurs in it. It is called linear if each variable occurs at 
most once in it. 

Substitutions are defined as usual. In particular a most general unifier of two 
terms or atoms E\ and E 2 is denoted by mgu{Ei, E 2 ). The result of applying a 
substitution to an expression E is denoted by Ea. 



3 The Class OCCIN^ 

In [FL93] the following class of clause sets was introduced as a non-trivial ex- 
ample of a class for which hyperresolution provides a decision procedure. 

Definition 1. OCCIN^ is the class of all clause sets S, defined over a signature 
without equality, such that for all (77 ^ A) G S: 

(lin) A is linear; i.e. each variable occurs at most once in A, and 
(vd) rmax(a ^7 A) < Tmin{x, 77) for all x G vars(Z\) n vars(77).- 

Let OCCIEE be defined exactly as OCClN~^, but over a signature including 
equality. 

Theorem 1. OCCUST is undecidable. 

Proof. It is known that satisfiability for finite sets 7f = {si«7i, . . . , s„~7n| of 
equalities augmented by a single ground inequality so9^to is undecidable, even 
if the equalities contain only a single variable and only unary function symbols 
(see, for example. Theorem 4 in [FS93]). We reduce this decision problem to that 
for occiir. 

Let /i”(u) denote h{h{. . .{v) . . .) for n iterations of h, and let x be the single 
variable occurring in Si^U G 7f. We define the following translation (°): 

(si«t*)° =def {K^{x)^K^{y) Si{x ^ y}~U) 

where h is a fixed function symbol that does not occur in E, y is a, new variable, 
and n = T{si~ti). Consider the set of clauses 



Se = {(s»«C)° : SiK.ti G E}U {so^to ^}. 
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Clearly, Se G OCCHST. Since the function symbol h is fresh, any model A4 of 
E U {so9^to} can be extended to a model M' of Se by interpreting h as identity 
function. Conversely, any model of Se is also a model of if U {so9^to}- C 

This motivates interest in the class OCClNj, defined exactly as OCCIN^, 
but requiring all equality literals to be ground. 



4 The Inference System Q 

We assume (at least nodding) acquaintance with the superposition calculus as 
defined, e.g., in [BG94]. 

We use an instance of the inference system called Ss in [BG94] (equality 
resolution, ordered factoring, superposition and equality factoring with selection 
function S). In our version of the calculus, the selection function S selects all 
negative literals. I.e. we employ a positive superposition-strategy. 

To achieve greater transparency in our decidability proof (Section 5) we sep- 
arate the cases for equality and non-equality literals, respectively. This is also 
closer to what is implemented in Spass (see Section 6). In particular we define 
an inference rule positive resolution^ . Significant simplifications arise by 

— making use of only those order restrictions that are actually needed to decide 
OCClNj, and 

— assuming that all equality literals are ground and that the reduction order 
is total on ground terms. 

The set of inference rules are given in Table 1. 

Remark 1. Note that in rules {of^), (ef), (sd), (ss^), and (sr^) no substitution 
is applied, as in these rules only ground equalities are involved. 



Definition 2. For any set of clauses S, IJ(5) denotes the union of S and all 
conclusions of an application of one of the above inference rules where the pre- 
misses are in S. By Q*{S) we denote the transitive and refkive closure of the 
set operator Q. 

5 Qc Decides OCCIN^ 

We want to prove that (up to renaming of variables) only finitely many different 
clauses can be derived from any S G OCCINJ using the inference system Q. In 
fact, we have to augment ^ by a condensation mechanism in order to achieve 
this goal, as we will see below. 

^ Positive resolution corresponds to selective superposition combined with removal 
of the negative equality “T «T” , where a non-equality atom A is identified with an 
equality T«T (like in [BG94]). 
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Table 1. Inference Rules of System Q 



Ordered Factoring: 

A,L)e 

where 9 = mgu{L, M) 

Superposition Right: 

^sKit,A ^ S,L[s'] 

H AS,L[t])6 
where s t, s = s'9, s' ^ vars(L) 

Equality Factoring: 

^ Z\, soit' 

‘■‘f 



(sr) 



Selective Superposition: 

L[s'],r^E 



(ss) 



{L[t],r^ A, S)9 
where s t, s = s'9, s' ^ vars(L) 

Positive Resolution: 

^ L, A M,r ^ E 

(r ^ A,E)9 
where 9 = mgu(L, M) 



{pr 



Ordered Factoring 
(of equalities): 

Superposition Right 
(into equalities): 

—>sK:t,A ^17, r[s]«t' 

^ A,E,r[t]Kit' 
where s >~ t. 

Selective Resolution: 

t^t,r^A , ,, 

r^A 



Selective Superposition 
(into equality literals): 

—>sK:t,A r[s]Kit' , r —> E 

{r[t]^t',r^ A, E)9 

where s ^ t 



(sr ) 



(ss 



Remark 2. The proof is rather involved and therefore broken up into several lem- 
mas, which establish various invariants for clause sets in OCCIN^ with respect 
to Q. Given the fact that there exists a relatively simple decidability proof for 
OCClN~^ (see [FLTZ93], Chapter 3) based on hyperresolution, the complexity 
of the proof may appear surprising. However, hyperresolution gets ineomplete 
if combined with paramodulation (by simply adding paramodulants of input 
clauses and hyperresolvents). As a reminder on the subtleties arising by the 
addition of (ground) equalities to decidable classes of equality-free clause logic 
consider the following example (due to N. Peltier.) The clause set S consisting 
of 



P{f{x)),Q{x) 



Qifix)) 

P{a) 

Q{a) 



( 1 ) 

( 2 ) 

(3) 



belongs to PVD] a class straightforwardly decidable by hyperresolution (see, e.g., 
[FLTZ93]). However, adding the ground equality 

^ /(a)«a 



to S results in a clause set from which infinitely many different clauses are 
derivable using Q. 
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We first state a few simple observations about mgvs involving linear atoms. 

Proposition 1. Let L and M he variable disjoint atoms and let 9 = 

{xi si, . . . ,Xn Sn}U{j/i pp- , . . . , j/m pp’ tm} be the mgu of L and M , where 
Xi € vars(L) and yi G vars(M). If L is linear then: 

1. all ti are sub-terms of L and therefore linear and pairwise variable disjoint. 

2. If also M is linear, then the following facts hold: 

(a) 19 = M6 is linear, too, 

(b) t{L9) = max{T(L), r(M)}, 

(c) Tv{L9) = max{Tv(L),Tv(M)}. 



Proposition 2. Property (vdj of Definition 1 is stable under substitutions. 

We show that class OCCIN^ is closed under our inference operator: 

Lemma 1. If S G OCCIN^ then also G{S) G OCCIN^ 

Proof. Observe that the two defining conditions for OCCIN^, (lin) and (vd), 
concern variable occurrences only. Also observe that the union of pairwise vari- 
able disjoint linear multi-sets of literals is linear, too. Therefore membership in 
OCCINJ is trivially preserved by the rules {of"), (ef), (sr^), (sd), and (ss^) 
since only ground terms are manipulated and positive parts of clauses joint. 
Likewise, (lin) and (vd) remain satisfied if the mgu used in the application of a 
rule is ground. This observation suffices for the cases of selective superposition 
{sd) and superposition right (sr). 

It remains to investigate positive resolution {pr) and ordered factoring {of). 
Since only positive clauses can be factored, condition (vd) trivially holds for 
factors. Since positive clauses are linear. Proposition 1 guarantees that also con- 
dition (lin) remains satisfied. 

For positive resolution consider 

C={^L,A) D = {M,r^S) 

E={P^ A, S)9 

where 9 = mgu{L,M). Assume that {C,D} G OCCUST^. By Proposition 1, the 
terms 9{yi) are linear and pairwise variable disjoint for yi G vars(M). Therefore 
S9 remains linear. Moreover A is variable disjoint with I and S9. Hence E 
satisfies condition (lin). 

By Proposition 2, condition (vd) not only holds for T E but also for 
P9 — > E9. Since A9{= A) is variable disjoint with this sub-clause of E, (vd) 
also holds for E, which concludes the proof. □ 

Observe that the term depth of a derived clause can be strictly greater than 
the maximal term depth of its parent clauses. E.g., applying selective superpo- 
sition to the OCCINJ -clauses 

/(/(a))~a and P{g{f{x))) Q{g{g{x))) 
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results in the clause 

P{g{a)) Q{g{g{,f{,a)))). 

By resolution we can even increase the maximal depth of variable occurrences: 
Resolving 

P{f{x)) and P{y),R{g{y),u) ^ Q{y) 

results in the clause 

R{9if{x)),u) Qifix)). 

However, we can prove that the maximum of the depth of variable occur- 
rences cannot increase in the positive part of a clause. The proof uses ideas 
from [FLTZ93]. 

Lemma 2. For all S G OCCIN^ : t+{G{S)) = t+{S). 

Proof. Since all equality literals are ground, the only rules that may increase 
the depth of occurrences of variables (with respect to the parent clauses) are 
positive resolution (pr) and ordered factoring (of). Therefore we restrict our 
investigations to the cases (pr) and (of). 

Concerning ordered factoring remember that only positive clauses can be 
factored. Let E = ^,L)9 be the result of factoring C = A,L,M). 

Since L and M are linear and variable disjoint Proposition 1 applies and we 
may conclude that t^{L0) = max{Tv(L), Tv(M)}. Moreover, since A and L are 
variable disjoint, we have A9 = A. Hence Tff{E) = r+(C'). 

For the case of positive resolution consider 

C={^L,A) D = {M,r^E) 

E={P A, S)9 

with 9 = mgu{L, M). By condition (lin), A and L are variable disjoint. Therefore 
A9 = A and 

rv(Z\0)<rv(C')=r+(C). (4) 

It remains to establish the appropriate bound with respect to E9. 

Observe that t^{E9) can only be greater than t^{E) if there is a variable y 
occurring in both M and E such that 

t^{E9) = T^a.^{y, E) + T^{9{y)) (5) 

By Proposition 1, 9(y) is a sub-term t of L. Moreover, t must occur somewhere 
in L at the same depth as some occurrence of y in M . Therefore 

"^min {y, M) + Ty{9{y)) < 

^max (tj L) + Ty{t) < t^{L) (6) 

By condition (vd) we can connect (5) and (6) to conclude in total that 

Tv{E9) < max{Tv(F'), Tv(L)} (7) 

Combining (4) and (7) we conclude 

Tv{E) = t+{A9,E9) < max{T+(C),max{r+(C),T+(L>)}} 

= max{T+(C),T+(D)} 



which is q.e.d. 



□ 
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Next, we prove that the maximal difference of depths in which a variable 
can occur within a clause cannot increase. For any clause C let diffv(C) = 
max{rmax(a^, C*) — Ti„in(a;, C) : x G vars(C')} and 0 if C is ground. For sets of 
clauses S: diffv(5) = max{diffv(C) : C G 5}. 

Lemma 3. For all S G OCCINJ : diffv(^i(5)) < diffv(5). 

Proof. We again distinguish cases corresponding to the different inference rules. 

Those rules involving ground substitutions only, or no substitution at all, 
obviously cannot increase difFv(^(5)) beyond diffv(5). By Lemma 1 all positive 
clauses remain linear. I.e. diffv(C') = 0 for positive C G 
It therefore remains to investigate positive resolution: 

C={^L,A) D = {M,r^S) 

E={F ^ A, E)9 

with 6 = mgu{L, M), where {C,D} G OCCINJ. By Proposition 1, 9 = 
{xi 1 -^ si, . . . ,x„ 1 -^ s„} U {yi tm}, where x^ G vars(L), y* G 

vars(M) and all U are linear and pairwise variable disjoint. Moreover, the U are 
variable disjoint with A and D. Furthermore, by condition (lin), A9 = A. It 
follows that diffv(if) < max{diffv(C'), difFv(H)}. □ 

Lemmas 1, 2 and 3 can be combined to prove a global bound for the depth 
of occurrences of a variable anywhere in a clause. 

Lemma 4. For all S G OCCIN^ : t^{G*{S)) < 2t+{S) + t^{S). 

Proof. We have seen in the proof of Lemma 2 that factorisation does not increase 
the maximal depth of occurrences of variables and that the only other rule that 
may affect variable depth is positive resolution. It thus remains to investigate 
the following case: 

C={^L,A) D = {M,r^E) 

E={F ^ A, S)9 

with 9 = mgu{L,M), where C and D are in G*{S). By induction on the number 
of applications of Q it follows from Lemma 1 that {C,D} G OCCINJ. By the 
definition of E and induction using Lemmas 2 and 1 we conclude that 

Tv{E) < max{rv(F0), T+(if)} < max{Tv(r6<), r+(5)} (8) 

We now argue in analogy to the proof of Lemma 2, above. t^{F9) can only 
be greater than Tv{F) if there is an y G vars(M) n vars(F) such that 

Tv(r6») = Tmax(y,F) +Tv(t) 

for some sub-term t = 9{y) of L. Hence 



rv(F6<) < Tmin(y, M) + diffv(L)) -|- Tv(t) 



(9) 
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Clearly, Tv{t) < t^{L) < r+(C') and moreover Tm_in{y,M) < t^{L) < r+(C) since 
t must occurs in L at the same depth as y in M. Thus we have 

Tv(T0) <2T+(C)+diffv(D). 

Now observe that Lemma 3 asserts that diffv(£)) < diffv(5) and therefore also 
< Tv (5). Consequently we obtain 

Tv(r0) <2rv+(C)+Tv(5) 

Combining this with (8) we obtain 

Tv(S) < max{2T+(5) + Tv(5), t+(5)} = 2t+(5) + Tv(5). □ 

We have not yet imposed any restriction on the reduction order under- 
lying Q. In order to guarantee termination, has to be chosen carefully, as 
illustrated by the following example, due to R. Niewenhuis: 

^ /(a)«a (1) 

- a«/(6) (2) 

Let ‘V” be a lexicographic path order with the precedence a l^prec / I^prec b. 

Hence /(a) y a >- f{b). With respect to this order infinitely many new ground 
equations are derivable from (1) and (2) using Q. 

To avoid such situations we make use of Knuth-Bendix orders ()^kbo), which 
are nicely supported in Spass and turn out to be best suited for our purpose. 

We refrain from stating the definition of ;^kbo in its full generality. Instead we 
give the definition with respect to the ground term algebra only. This is sufficient 
to establish Lemma 5. 

Definition 3. If s, t are ground terms then s )^kbo t if 

1. weight (s) > weight (t) or 

2. weight(s) = weight(t) where s = /(si, . . . , Sk) and t = g{t\, ■ ■ ■ ,ti) and 

(a) f yprec g, or 

(b) f = g and (si,...,Sfc) {ti,...,ti). 

where weight is a mapping from (ground) terms into non-negative integers; l^prec 
is a strict total order on the signature symbols, and l^k^o is the lexicographical 
extension o/ )^kbo to sequences of (ground) terms. 

For the rest of the paper we assume ‘V” to be an extension of )^kbo, where 
weight(t) counts the number of constant and function symbols occurring in t. It 
is proved, e.g.in [BN98] that there exists an order fulfilling the above restrictions 
that can be extended to a complete simplification order. 

Let eqs(5) denote the set of all equality literals occurring in some clause C 
in S. 

Lemma 5. For all S G OCClNj there is a constant d (depending only on S) 
such that r(eqs(^*(5))) < d. 
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Proof. Observe that, since all equality literals are ground, new terms occurring 
in equality literals can only arise by replacing a ground (sub-)term by another 
ground term via superposition. 

We make use of the fact that respects the size of ground terms. More 
exactly, let size(t) be the number of function and constant symbols occurring in 
a ground term t then, by definition of 

(s) s y t implies size(s) > size(t) 

for all ground terms s and t. 

By the order conditions of the inference rules, any new term t that arises 
by superimposing one equality into another must be smaller with respect to 
than some term occurring in a parent clause. Therefore, by (s), it must also be 
smaller in size. In other words, the size of terms in eqs(tj* (5)) is bounded by the 
maximal size of terms in eqs(tj(5)). Since there are only finitely many different 
ground terms of bounded size (over a finite signature) we also obtain a bound 
on r(eqs(5*(5))). □ 

Lemma 6. Let S e OCCIN^ and let d be the bound on T{eqs{Q* (S))) obtained 
in Lemma 5, above. Then < max{T+(5), d + t+(5)}. 

Proof. Again, the proof proceeds by induction on the applications of the infer- 
ence operator G and case-distinction according to the inference rules. 

With respect to ordered factoring and positive resolution the arguments are 
the same as those in the proof of Lemma 2. (The only difference is that we refer 
to part 2(b) instead of 2(c) of Proposition 1.) I.e. we obtain r+(if) < t+(C') for 
any factor of a (positive) OCCI JVJ-clause C, as well as 

< max{T'''(C), t“''(Z?)} 

for any positive resolvent E of OCCI JV^-clauses C, D. 

Consider superposition right: 

C={^s^t,A) D={^E,L[s']) 

E={^ A,E,L[t])e 

s y t and s = s' 9, where C,D G G* (S) and therefore, by Lemma 1, {C,D} G 
OCCIN^ . Observe that 9{y) < r(s) for all y in the domain of 6. Moreover, by 
condition (lin), A9 = A and E6 = E. By Lemma 5 we thus obtain 

< max{ r''"(C), t"''(D), d -I- t^(D)}. (3) 

By the proof of Lemma 5 superposition right into an equality literal cannot 
increase the term depth beyond the global bound d. 

The only remaining inference rule that can change the maximal term depth 
of the positive part of a clause is selective superposition: 




124 Christian G. Fermiiller and Georg Moser 



where s t and s = s' 9. Again, C,D G G* (S) and therefore, by Lemma 1, 
{C,D} G OCClNj. It suffices to observe that the terms in the range of 6 are 
sub-terms of s to obtain the bound of (3) also for this case. 

Summarizing we obtain (5)) < max{T+(5), d -I- (5)}. □ 

The last step in proving a global bound on term depth — going from 
to t(G*(S)) — is not difficult. 

Lemma 7. For all S G OCClNj : t{G*{S)) < 2t+{S) + t+{S) + t^{S) + d. 

Proof. From Lemma 4 we obtain the bound 

2r+(5)+rv(5) (4) 

for the maximal depth of occurrence of a variable in G*{S). Observe that — 
by the linearity of the positive part of OCClJVJ-clauses and the form of our 
inference rules — only (sub-) terms t occurring in the positive part of one parent 
clause, replacing a variable from the other parent clause can increase the term 
depth of a derived clause beyond Tv{G* (S)). Lemma 6 bounds the depth of t by 

max{T^(5) -I- d, r“'"(5)} < r“'"(5) -I- d. (5) 

Simplifying the sum of (4) and (5) we obtain q.e.d. □ 

The global bound on term depth alone does not yet imply that the inference 
process converges, i.e., that only finitely many different clauses (up to renaming 
of variables) can be derived. We also have to bound the length of derived clauses. 
By the length \C\ of a clause C we mean the number of literals (i.e. occurrences 
of atoms) in C. This can be achieved by applying the condensation rule. In 
contrast to the rules of the inference operator G condensation is a reduction rule 
(compare Section 6). It removes redundant literals from a clause. 

Definition 4. For any clause C we denote by cond(C) a shortest sub-clause of 
C that is also an instance of C. It was proved by Joyner [Joy76] that cond(C) 
is unique (up to renaming of variables). We call cond(C') the condensate ofC. 

Definition 5. By Gc{S) we denote the set of condensates of all clauses in G{S). 
G({S) denotes the transitive and refkive closure of Gc- 

Lemma 8. If S G OCCINJ then \C\ < Is for all C G G({S) where Is is some 
constant (depending on S only). 

Proof. The literals of the positive part of any clause in G({S) are pairwise vari- 
able disjoint. Therefore condensation removes one of the literals L, V from the 
clause (T ^ L,L',E) if Lv = L' , where jz is a renaming of variables not oc- 
curring in F. From this observation and the bound on rif {G({S)) (Lemma 2) 
we obtain a bound on the number of positive literals in a condensed clause, 
since there are only finitely many (up to variable renaming) different atoms of 
bounded depth. 
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Concerning the number of negative literals in a clause, observe that the only 
rule of Q that can add a negative literal is equality factoring (ef). However, the 
added equality literals are ground. By Lemma 5 there are only finitely many 
different equality literals in Q*(S). Therefore we obtain a bound on \r\ for all 
{r ^ S) G Gc(S) from the fact that condensation removes copies of identical 
literals from any clause. 

Summarizing, we have proved that \C\ is bounded for C S G*{S). □ 

Theorem 2. The inference system Qc provides a decision procedure for 
class OCCIN^. 

Proof. Let S G OCCINJ. It is easy to check that replacing all clauses by their 
condensates does not violate the invariants of Lemmas 1-7. Therefore we may 
combine the bound on the depth of clauses C G Q* (S) (see Lemma 7) with the 
bound on the length of clauses in Gc (S) (see Lemma 8) and conclude that there 
are only finitely many different clauses in ^*(5). 

We can therefore effectively compute Gci^) (by iteratively applying Gc un- 
til a fixed point is reached) and check whether it contains the empty clause. 
The decidability of OCCINJ thus follows from the soundness and (refutational) 
completeness of the inference system Gc- □ 

Remark 3. One might want to consider^ the class OCClNfg, arising from 
OCCINJ by dropping the restriction that equality literals have to be ground 
for positive literals. However, one cannot directly apply the above machinery to 
this class, since OCClNfg is not closed under applications of equality factoring. 
(Whether another version of the superposition calculus terminates on OCClNjg 
remains open.) 

Similarly, one may investigate the class OCClNfg, where only positive equal- 
ity literals have to be ground. Observe that OCClNfg is not closed under equal- 
ity resolution (appearing in our version of the superposition calculus as selective 
resolution) . 



6 Spass and Qc 

Spass^ [WAB+99,Wei00] is a theorem prover for (sorted) first-order logic with 
equality. Primarily, it is an implementation of the calculi Es and Vs^ presented 
in [BG94]. Spass provides a number of options to fine-tune the system that 
would in principle allow to directly implement Gc by an appropriate setting of 
various control flags. However, we claim that one may also take advantage of the 
following features of Spass, which are not present in Gc- 

® As suggested by an anonymous referee. 

^ When we refer to specific properties of Spass, we actually refer to Spass Version 
1.0. X as freely distributed at http://spass.mpi-sb.mpg.de/ 

® The calculus Vs consists of equality resolution, ordered factoring, superposition and 
merging paramodulation with selection function S. 
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~ additional order restrictions on the inference rules, 

— additional reduction rules, and 

— a form of case analysis called splitting rule. 

We refer to Section 8 for details on splitting. (We will see that splitting turns 
Spass into a model builder for OCCINJ.) We do not intend to use the sort 
constraint handling mechanism of Spass here. 

Additional order restrictions on inference rules obviously cannot spoil the 
termination of the inference process when Gc{S) is finite. Concerning reduction, 
we always assume the condensation rule to be used (as it is part of Qc). (Note 
that condensation is nicely supported by Spass, compare [WeiOO].) 

If one wants to employ additional reduction rules of Spass like subsumption, 
tautology deletion, unit conjkt , terminator, local clause reduction, local rewrit- 
ing and unit rewriting (see [WeiOO] for definitions) one has to check that the 
invariants established for S G OCCIN^ with respect to Q in Lemmas 1-7 re- 
main valid also with respect to the refined inference operator, which we will call 
H'^pass from now on. In all cases this trivially follows form the definitions of the 
rules in H^pass of OCClNj. 

We summarize the observations of this section as a corollary to Theorem 2: 

Corollary 1. An appropriate setting of parameters in Spass results in a sound 
and complete inference operator, which terminates on inputs S G OCCINJ and 
thus decides this class. 

7 Representing Models by Atoms and Gronnd Eqnalities 

A satisfiable clause set that is closed under a complete inference operator may 
be considered as a representation of the class of its models. However — when 
speaking of model building — we aim at something more ambitious: we want to 
extract simple and useful syntactical representations of single models from the 
information generated by standard theorem provers. It is natural to concentrate 
on term models in this context. (We refer to [FL98,FL96,Tam92,Pel97] for a 
more detailed presentation of this type of model building.) 

Various criteria for a representation TZ^ of a (term) model A4 to be appro- 
priate (in this context) have been suggested; they include: 

— Given TZjot , there should be an efficient algorithm for deciding whether an 
atom holds in Ai or not. 

— Evaluation of clauses with respect to Ai should be computable. 

— Given two representations it should be decidable whether they represent the 
same model. 

In addition, we consider it an advantage if the representations consist in syn- 
tactic structures that are already present in the output of a standard theorem 
prover. (I.e. we want to avoid the use of additional formalisms like, e.g., explicit 
constraints, tree grammars or term schematizations, if possible.) 




127 



Have Spass with OCCINJ 

Fortunately, a representation format that is suitable for OCCINJ and fulfills 
all above mentioned criteria — so-called atomic representations — has been 
investigated, e.g., in [FL96,FL98,GP99]. In the presence of equality, term models 
can be viewed as ordinary Herbrand models (i.e. interpretations over the set of 
all ground terms over the signature®) where is interpreted as a congruence 
relation. In our context, an atomic representation of a term model with respect 
to some signature Sig consists in the union of a finite set of linear (non-equality) 
atoms At and a finite set of ground equalities Eq (over the Sig). The term model 
M^^Eq represented by At and Eq with respect to Sig is defined by 

A is true in M^^Eq AtU Eq \= A 
for all ground atoms A over Sig. 

Observe that the ground equations in Eq induce a complete and terminating 
term rewrite system T^‘^. To test whether an atom A is true in M^^Eq suffices 
to check whether the normal form of A with respect to is an instance of 
some A! e At. 

Consider clause evaluation with respect to Ai^^Eq- Obviously, clauses C G 
S G OCClNj over Sig can be evaluated by applying the terminating inference 
operator to AtLlEqLl{C}. If C (not necessarily fulfilling the OCCIJVJ-conditions) 
does not contain equality literals evaluation procedures given in [FL96] and 
[FL98] are applicable. We conjecture that evaluating general clauses in which 
all equality literals are ground is possible by similar methods. The fully general 
case is still open. 

For the equivalence test for model representations and the construction of 
corresponding finite models we refer to [FL96] and [FL98] . The algorithmic com- 
plexity of various problems related to atomic representations has been investi- 
gated in [Pic98a,Pic98b,GP99]. 

8 Model Building by Splitting 

Splitting may be considered as a special form of “proof by case analysis” : 

C = (El, E2 ^ Ai, A 2 ) 

Cl = (A ^ Zli) II C 2 = (T 2 ^ /i2) 

where vars(A, ^i)nvars(T 2 , A 2 ) = 0, and neither Ci nor C 2 is empty. Obviously 
we have: 5 U {Ci} ^ U {C} and 5 U {C 2 } h >5 U {C} 

The format of the rule is quite different from the other SPASS-rules and 
motivates an abstract notion of derivation. A derivation from a set of clauses 
5 is a finitely branching (possible infinite) tree T$, the nodes of which are sets 
of clauses. It is defined inductively according to the different types of rules in 
Spass: 



The signature is augmented by a constant symbol if necessary to prevent the universe 
from being empty. 
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— 5 is the root of T$ 

— A node S' has either a single successor node 5^ such that 

• = 5' U {A} where E is the result of applying an inference rule of 
Itpass to premisses in S' , or 

• 5^ is the result of applying a reduction rule of to S' 

or it has two successor nodes , S '2 such that 

• 5^ = 5' U {Cl} and = 5' U {C 2 } where Ci and C 2 represent the cases 
obtained by the splitting rule applied to some clause C in 5'. 

A branch S,S\,S 2 , ■ ■ ■ , of Tg is called open if it does not contain the empty 
clause. Our aim is to show that all open branches of as generated by Spass, 
contain an atomic representation of a model of S for all satisfiable S G OCCINJ. 
For this purpose we briefly recall some concepts from [BG94]. 

Remember that their superposition calculus is defined with respect to some 
fixed reduction order This order can be extended to a well-founded order -<c 
on ground clauses in a canonic way. 

Let 5 be a set of clauses, and C be any ground clause. We call C redundant 
with respect to S, if there exist ground instances Ci , . . . , Cfe of clauses in S such 
that Ci,...,Ck 1= C and C >~c Ci for all 1 < i < fc. A clause C is called 
redundant if all its ground instances are redundant. 

A set of clauses S is called saturated (with respect to ^tpass ) if conclusion 
C of an X^^^g-inference from S, not already included in S, is redundant. 

For any branch S,S\,S 2 , ■ ■ ■ in 7^ we call Soo = Uj rifc> j fii® limit of this 
branch. A derivation Tg is fair, if for any branch S,Si,S 2 , ■ ■ ■ in Tg, each clause 
C that can be derived (using inference rules ofX^^^g) from its limit, is contained 
in some Sj. 

The completeness of Spass can be expressed now as follows: 

Proposition 3. Assume thatTs is a fair derivation. Every limit Soo of a branch 
S,S\,S 2 , ... inTs is saturated and every model of Soo is also a model of S. 

We say that a branch S,S\,S 2 , ... of a derivation Tg terminates with a set 
of clause Sk, occurring on the branch, if Sk = Soo or contains the empty clause. 
By Proposition 3, Sk is saturated if Ts is fair. 

We extend the notion of saturatedness to derivations 7^ . Tg is saturated if it 
is fair and if for every branch 5, 5i, ^ 2 , . . . of 7g, Soo is closed under applications 
of the splitting rule. 

We say that a set of clauses S decomposes into the set of non-positive clauses 
M, non-equality atoms At and ground equalities Eq \i S = N yj { (^ A) : A & 
At} U {(^ G Eq}. 

Theorem 3. Let Ts he a saturated derivation from some satisfiable S G 
OCClNj . Then all open branches of Ts terminate with some Sk that decom- 
poses into Af, At and Eq. Moreover, Ai^AtEq ® term model of S over the 
signature Sig of S. 
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Have Spass with OCCINJ 

Proof. Let S e OCCINJ be a satisfiable clause set. Let 7^ be a saturated 
derivation from S. By our decidability proof, any open branch S,Si,S 2 , ■ ■ ■ in 
Ts terminates with some Sk- Moreover, we may conclude (from Lemma 1) that 
Sk G OCCIN^ . Since Ts is saturated, Sk is closed under applications of the 
splitting rule and therefore decomposes into Af, At and Eq. 

To simplify notation, we abbreviate by M. Assume that M is not a 

model of Sk- Let Pals cm be the set of all ground atoms over Sig that are false 
in M. Then, by definition, 

Sk'J {{B —^) : B G FalstM} 

is unsatisfiable. By compactness there exists a finite, unsatisfiable subset T of 
{{B : B G FalseM} such that U 7^ is unsatisfiable. Therefore the empty 

clause can be derived from Sk U T using any refutationally complete inference 
system. In particular, there exists a finite sequence Zq, Zi, . . . , Z/, where Zg = 
5feUlF, Zi_|_i = ZiU{Ei+i} for some clause that is a conclusion of an Tfpass~ 
inference of clauses in Zi, and Ei is the empty clause. By the completeness proof 
for we may assume that none of the Ei is redundant with respect to Sk- 

Since Sk is saturated and the clauses in T are negative (ground unit) clauses 
and since Tfpass employs the positive superposition-strategy (see Section 4) this 
implies that no clauses from M are involved in this derivation. In other words, 
the empty clause can already be derived from clauses in IF, {(^ A) : A G At} 
and {(^ : s~t G Eq}. But, by definition, all those clauses are true in M.. 

Since Tfpass i® sound this means that the empty clause cannot be derived from 
Sk U T . This contradiction concludes the proof. □ 

Acknowledgement. We thank Robert Niewenhuis for pointing out an error 
in a previous version of this paper. 
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Abstract. We propose a direct and fully automated translation from 
standard security protocol descriptions to rewrite rules. This compilation 
defines non-ambiguous operational semantics for protocols and intruder 
behavior: they are rewrite systems executed by applying a variant of ac- 
narrowing. The rewrite rules are processed by the theorem-prover daTac. 
Multiple instances of a protocol can be run simultaneously as well as a 
model of the intruder (among several possible). The existence of flaws 
in the protocol is revealed by the derivation of an inconsistency. Our 
implementation of the compiler CASRUL, together with the prover daTac, 
permitted us to derive security flaws in many classical cryptographic 
protocols. 



Introduction 

Many verification methods have been applied to the analysis of some particular 
cryptographic protocols [22,5,8,24,34]. Recently, tools have appeared [17,13,9] to 
automatise the tedious and error-prone process of translating protocol descrip- 
tions into low-level languages that can be handled by automated verification 
systems. In this research stream, we propose a concise algorithm for a direct 
and fully automated translation of any standard description of a protocol, into 
rewrite rules. For analysis purposes, the description may include security require- 
ments and malicious agent (intruder) abilities. The asset of our compilation is 
that it defines non-ambiguous operational semantics for protocols (and intrud- 
ers): they are rewrite rules executed on initial data by applying a variant of 
narrowing [15]. 

In a second part of our work, we have processed the obtained rewrite rules 
by the theorem-prover daTac [33] based on first order deduction modulo associa- 
tivity and commutativity axioms (AC). Multiple instances of a protocol can be 
run simultaneously as well as a model of the intruder (among several possible). 
The existence of flaws in classical protocols (from [7]) has been revealed by the 
derivation of an inconsistency with our tool CASRUL. 



M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 131—160, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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In our semantics, the protocol is modelled by a set of transition rules applied 
on a multiset of objects representing a global state. The global state contains 
both sent messages and expected ones, as well as every piece of information 
collected by the intruder. Counters (incremented by narrowing) are used for dy- 
namic generation of nonces (random numbers) and therefore ensure their fresh- 
ness. The expected messages are automatically generated from the standard 
protocol description and describes concisely the actions to be taken by an agent 
when receiving a message. Hence, there is no need to specify manually these ac- 
tions with special constructs in the protocol description. The verification that a 
received message corresponds to what was expected is performed by unification 
between a sent message and an expected one. When there is a unifier, then a 
transition rule can be fired: the next message in the protocol is composed and 
sent, and the next expected one is built too. The message to be sent is composed 
from the previously received ones by simple projections, decryption, encryption 
and pairing operations. This is made explicit with our formalism. The informa- 
tion available to an intruder is also floating in the messages pool, and used for 
constructing faked messages, by ac-narrowing too. The intruder-specific rewrite 
rules are built by the compiler according to abilities of the intruder (for diverting 
and sending messages) given with the protocol description. 

It is possible to specify several systems (in the sense of [17]) running a pro- 
tocol concurrently. Our compiler generates then a corresponding initial state. 
Finally, the existence of a security flaw can be detected by the reachability of 
a specific critical state. One critical state is defined for each security property 
given in the protocol description by mean of a pattern independent from the 
protocol. 

We believe that a strong advantage of our method is that it is not ad-hoc: 
the translation is working without user interaction for a wide class of protocols 
and therefore does not run the risk to be biased towards the detection of a 
known flaw. To our knowledge, only two systems share this advantage, namely 
Casper [17] and CAPSL [21]. Therefore, we shall limit our comparison to these 
works. 

Casper is a compiler from protocol specification to process algebra (CSP). 
The approach is oriented towards finite-state verification by model-checking with 
FDR [28]. We use almost the same syntax as Casper for protocols description. 
However, our verification techniques, based on theorem proving methods, will 
handle infinite states models. This permits to relax many of the strong assump- 
tions for bounding information (to get a finite number of states) in model check- 
ing. Especially, our counters technique based on narrowing ensures directly that 
all randomly generated nonces are pairwise different. This guarantees the fresh- 
ness of information over sessions. Our approach is based on analysing infinite 
traces by refutational theorem-proving and it captures automatically the traces 
corresponding to attacks. Note that a recent interesting work by D. Basin [4] 
proposes a lazy mechanism for the automated analysis of infinite traces. 

CAPSL [21] is a specification language for authentication protocols in the 
flavour of Casper’s input. There exists a compiler [9] from CAPSL to an in- 
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termediate formalism CIL which may be converted to an input for automated 
verification tools such as Maude, PVS, NRL [20]. The rewrite rules produced by 
our compilation is also an intermediate language, which has the advantage to 
be an idiom understood by many automatic deduction systems. In our case we 
have a single rule for every protocol message exchange, as opposite to CIL which 
has two rules. For this reason, we feel that our model is closer to Dolev and Yao 
original model of protocols [11] than other rewrite models are. 

As a back-end system, the advantage of daTac over Maude is that ac-unification 
is built-in. In [8] it was necessary to program an ad-hoc narrowing algorithm in 
Maude in order to find flaws in protocols such as Needham-Schroeder Public 
Key. 

We should also mention the works by C. Meadows [19] who was the first 
to apply narrowing to protocol analysis. Her narrowing rules were however re- 
stricted to symbolic encryption equations. 

The paper is organised as follows. In Section 1, we describe the syntax for 
specifying a protocol V to be analysed and to give as input to the translator. 
Section 2 presents the algorithm implemented in the translator to produce, given 
V, a set of rewrite rules R{V). This set defines the actions performed by users 
following the protocol. The intruder won’t follow the rules of the protocol, but 
will rather use various skill to abuse other users. His behaviour is defined by 
a rewrite system X given in Section 3. The execution of V in presence of an 
intruder may be simulated by applying narrowing with the rules of R{V) UX on 
some initial term. Therefore, this defines an operational semantics for security 
protocols (Section 4). In Section 5, we show how flaws of V can be detected 
by pattern matching on execution traces, and Section 6 describes the deduction 
techniques underlying the theorem prover daTac and some experiments performed 
with this system. For additional informations the interested reader may refer to 
http : //www. loria.fr/equipes/protheo/SDFTWARES/CASRUL/. 

We assume that the reader is familiar with basic notions of cryptography 
and security protocols (public and symmetric key cryptography, hash functions) 
[30], and of term rewriting [10]. 

1 Input Syntax 

We present in this section a precise syntax for the description of security proto- 
cols. It is very close to the syntax of CAPSL [21] or Casper [17] though it differs 
on some points - for instance, on those in Casper which concern CSP. The spec- 
ification of a protocol V comes in seven parts (see Example 1, Figure 1). Three 
concern the protocol itself and the others describe an instance of the protocol 
(for a simulation). 



1.1 Identifiers Declarations 

The identifiers used in the description of a protocol V have to be declared 
to belong to one of the following types: user (principal name), public_key. 
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symmetric_key, table, function, number. The type number is an abstraction 
for any kind of data (numeric, text or record ...) not belonging to one of the 
other types (user, key etc). An identifier T of type table is a one entry array, 
which associates public keys to users names {T\D] is a public key of D). There- 
fore, public keys may be declared alone or by mean of an association table. An 
identifier F of type function is a one-way (hash) function. This means that one 
cannot retrieve X from the digest F{X). 

The unary postfix function symbol is used to represent the private key 
associated to some public key. For instance, in Figure 1, T[D]~^ is the private 
key of D. 

Among users, we shall distinguish an intruder I (it is not declared). It has 
been shown by G. Lowe [18] that it is equivalent to consider an arbitrary number 
of intruders which may communicate and one single intruder. 



1.2 Messages 

The core of the protocol description is a list of lines specifying the rules for 
sending messages, 

(z. Si ^ Ri . Af2)l<i<n 

For each i < n, the components i (step number). Si, Ri (users, respectively 
sender and receiver of the message) and Mi (message) are ground terms over 
a signature F defined as follows. The declared identifiers as well as I are 
nullary function symbols of F. The symbols of F with arity greater than 0 are 
_[.] (for tables access), .(.) (for one-way functions access), (_, _) (pairing), 
{_}_ (encryption). We assume that multiple arguments in (_,... , _) are right asso- 
ciated. We use the same notation for public key and symmetric key encryption 
(overloaded operator). Which function is really employed shall be determined 
unambiguously by the type of the key. 

Example 1. Throughout the paper, we illustrate our method on two toy exam- 
ples of protocols inspired by [36] and presented in Figure 1. These protocols 
describe messages exchanges in a home cable tv set made of a decoder D and 
a smartcard C. C is in charge of recording and checking subscription rights to 
channels of the user. In the first rule of the symmetric key version, the decoder 
D transmits his name together with an instruction Ins to the smartcard C. The 
instruction Ins, summarised in a number, may be of the form “(un)subscribe 
to channel n” or also “check subscription right for channel n”. It is encrypted 
using a symmetric key K known by C and D. The smartcard C executes the 
instruction Ins and if everything is fine {e.g. the subscription rights are paid 
for channel n), he acknowledges to D, with a message containing C, D and the 
instruction Ins encrypted with K. In the public key version, the privates keys 
of D and C respectively are used for encryption instead of K. 
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protocol TV; ^ symmetric key 

identifiers 

C, D : user; 

Ins : number; 

K : syimnetric_key; 
messages 

1. C : (D,{Ins}K) 

2. C ^ D : (C,D,{Ins}K) 
knowledge 

D :C,K- 
C : K- 

session.instance : 

[D : tv,C : scard, K : key\, 
intruder : divert, impersonate; 
intruder_knowledge : scard’, 
goal : correspondence.between scard, tv; 



protocol TV; ^ public key 

identifiers 

C, D : user; 

Ins : number; 

T : table; 
messages 

1. D ^ C i^D, {/ns}y[£)]-i ) 

2. C ^ D : (C, {/ns}T[C]-i ) 
knowledge 

D : C,T,T[D]-^; 

C : T,T[C]-^; 
session.instance : 

[D tv,C scard, T : key]; 
intruder : eaves.dropping; 
intruderjmowledge : key; 
goal : secrecy.of Ins; 



Fig. 1. Cable TV toy examples 



1.3 Knowledge 

At the beginning of a protocol execution, each principal needs some initial knowl- 
edge to compose his messages. 

The field following knowledge associates to each user a list of terms of T(F) 
describing all the data (names, keys, function etc) he knows before the protocol 
starts. We assume that the own name of every user is always implicitly included 
in his initial knowledge. The intruder’s name / may also figure here. In some 
cases indeed, the intruder’s name is known by other (naive) principals, who shall 
start to communicate with him because they ignore his bad intentions. 

Example 2. In Example 1, D needs the name of the smartcard C to start com- 
munication. In the symmetric key version, both C and D know the shared key K. 
In the public key version, they both know the table T. It means that whenever 
D knows C”s name, he can retrieve and use his public key T[C], and conversely. 
Note that the number Ins is not declared in H’s knowledge. This value may 
indeed vary from one protocol execution to one another, because it is created by 
D at the beginning of a protocol execution. The identifier Ins is therefore called 
a fresh number, or nonce (for oNly once), as opposite to persistent identifiers 
like C, D or K. 

Definition 1. Identifiers which occur in a knowledge declaration U : (in- 

cluding the user name U ) are called persistent. Other identifiers are called fresh. 

The subset of F of fresh identifiers is denoted ¥ fresh ■ The identifier ID G Ffresh is 
said to be fresh in Mi, if ID occurs in Mi and does not occur in any Mj for j < i. 
We denote fresh(Mi) the list of identifiers fresh in Mi (occurring in this order). 
We assume that if there is a public key K G fresh (Mi) then K~^ also occurs in 
fresh(Mi) (right after K). Fresh identifiers are indeed instantiated by a principal 
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in every protocol session, for use in this session only, and disappear at the end 
of the session. This is typically the case of nonces. Moreover we assume that 
the same fresh value cannot be created in two different executions of a protocol. 
Symmetric keys may either be persistent or fresh. 

1.4 Session Instances 

This field proposes some possible values to be assigned to the persistent identi- 
fiers {e.g. tv for D in Figure 1) and thus describes the different systems (in the 
sense of Casper [17]) for running the protocol. The different sessions can take 
place concurrently or sequentially an arbitrary number of times. 

Example 3. In Figure 1, the field session_instance contains only one triv- 
ial declaration, where one value is assigned to each identifier. This means that 
we want a simulation where only one system is running the protocol {i.e. the 
number of concurrent sessions is one, and the number of sequential sessions is 
unbounded) . 

1.5 Intruder 

The intruder field describes which strategies the intruder can use, among pas- 
sive eaves_dropping, divert, impersonate. These strategies are described in 
Section 3. A blank line here means that we want a simulation of the protocol 
without intruder. 

1.6 Intruder Knowledge 

The intruder_knowledge is a set of values introduced in session_instance, 
but not a set of identifiers (like knowledge of others principals). 

1.7 Goal 

This is the kind of flaw we want to detect. There are two families of goals, 
correspondence_between and secrecy_of (see Sections 5.4 and 5.3). The se- 
crecy is related to one identifier which must be given in the declaration, and the 
correspondence is related to two users. 

2 Protocol Rules 

We shall give a formal description of the possible executions of a given protocol in 
the formalism of normalised ac-narrowing. More precisely, we give an algorithm 
which translates a protocol description V in the above syntax into a set of rewrite 
rules R{V). 

We assume given a protocol V, described by all the fields defined in Section 1, 
such that 

Ri = Si+i for z = 0 ... n — 1 
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This hypothesis is not restrictive since we can add empty messages. For instance, 
we can replace 



i. A ^ B : M by i. A ^ B : M 
i + l.C^D-.M' i + l.B^C:% 
i + 2. C ^ D : M' 

For technical convenience, we let Rq = Si and assume that Sq, Mq are defined 
and are two arbitrary new constants of F. 

As in the model of Dolev and Yao [11] the translation algorithm associates 
to each step Si ^ Ri : Mi a rewrite rule h Vi. An additional rule In+i 
r„_|_i is also created. The left member li describes the tests performed by Ri-i 
after receiving the message - Ri^i compares Mi-i (by unification) with 

a pattern describing what was expected. The right member Vi describes how 
Si = composes and send the next message Mi, and what is the pattern 
of the next message expected. This representation makes explicit most of the 
actions performed during protocol execution (recording information, checking 
and composing messages), which are generally hidden in protocol description. 
How to build the message from the pieces has to be carefully (unambiguously) 
specified. The expected pattern has also to be described precisely. 

Example 4- In the symmetric key version of the protocol described in Figure 1, 
the cipher {Ins}K in last field of message 2 may be composed in two ways: 
either directly by projection on second field of message 1, or by decryption of 
this projection (on second field of message 1), and re-encryption of the value Ins 
obtained, with key K. The first (shortest) case is chosen in our procedure. 

The pattern expected by C for message 1 is (C, a;i, {a; 2 }_R'), because C does not 
know H’s name in advance, nor the number Ins. The pattern expected by D 
for message 2 is {C, D, {/ns}ic), because D wants to check that C has sent the 
right Ins. 



2.1 Normalised ac-Narrowing 

Our operational semantics for protocols are based on narrowing [15]. To be more 
precise, each step of an execution of the protocol V is simulated by a narrowing 
step using R{V). We recall that narrowing unifies the left-hand side of a rewrite 
rule with a target term and replaces it with the corresponding right-hand side, 
unlike standard rewriting which relies on matching left-hand sides. 

Let T{T,X) denote the set of terms constructed from a (finite) set T of 
function symbols and a (countable) set X of variables. The set of ground terms 
T(iF, 0) is denoted Y(iF). In our notations, every variable starts by the letter x. 
We use u[t]p to denote a term that has t as a subterm at position p. We use u[-] 
to denote the context in which t occurs in the term u[t]p. By u\p, we denote the 
subterm of u rooted at position p. A rewrite rule over a set of terms is an ordered 
pair (l,r) of terms and is written I r. A rewrite system 5 is a finite set of 
such rules. The rewrite relation ->-s can be extended to rewrite over congruence 




138 



Florent Jacquemard, Michael Rusinowitch, and Laurent Vigneron 



classes defined by a set of equations AC, rather than terms. These constitute ac- 
rewrite systems. In the following the set AC will be {x.{y.z) = (x.y).z, x.y = y.x} 
where is a special binary function used for representing multisets of messages. 
The congruence relation generated by the AC axioms will be denoted =ac- For 
instance e.h.g =ac g-e.h. A term s ac-rewrites by S to another term t, denoted 
s t, if s|p =ac lo' and t = s[ra]p, for some rule I ^ r in S, position p in s, 
and substitution a. When s cannot be rewritten by S in any way we say it is a 
normal form for S. We note s Is t, or t = s Is if there is a finite sequence of 
rewritings s ^s si t and t is a normal form for S. 

In the following we shall consider two rewrite systems TZ and S. The role of 
the system S is to keep the messages normalised (by rewriting), while TZ is used 
for narrowing. A term s ac-narrows by TZ,S to another term t, denoted s '^■r,S 
t, if i) s is a normal form for S, and ii) s\pa =ac lo’ and t = (s[r]p)(T J,s, for 
some rule I ^ r in TZ, position p in s, and substitution a. 

Example 5. Assume TZ = |a(a;).c(a;) ^ c(a;)} and S = {c(a;).c(a;) ^ 0}. Then 
a(0).5(0).c(a;) b(0).c(0). 

2.2 Messages Algebra 

We shall use for the rewrite systems TZ and S a sorted signature T containing 
(among other symbols) all the non-nullary symbols of F of Section 1, and a 
variable set X which contains one variable Xt for each term t € T(F) . 

Sorts. The sorts for T are: user, intruder, iuser = user U intruder, 
public_key, private_key, symmetric_key, table, function, number. Addi- 
tional sorts are text, a super-sort of all the above sorts, and int, message 
and list_of. 

Signature. All the constants occurring in a declaration session.instance are 
constant symbols of T (with the same sort as the identifier in the declaration). 
The symbol / is the only constant of sort intruder in T . The pairing func- 
tion (_, _) (profile text x text — > text) and encryption functions {_}_ (text x 
public_key — > text or text x privateJcey — > text or text x symmetric_key — > 
text) are the same as in F (see Section 1.2), as well as the unary function 
(public_key — > privateJcey or private_key — > publicJcey) for private keys 
(see Section 1.1), and as the table functions _[_] (table x iuser — > public_key). 
We use a unary function symbol nonce (_) : int ^ number for the fresh numbers, 
see Section 2.4. We shall use similar unary functions AT(_) (int — > public_key) 
and SK(f) (int symmetric_key) for respectively public and symmetric fresh 
keys. 

At last, the constant 0 (sort int) and unary successor function s(_) (int ^ 
int) will be used for integer (time) encoding. Some other constants 1, . . . , fc and 
0, 1 . . . and some alternative successor functions si(_),. . . ,Sfc(.) are also used. The 
number k is fixed according to the protocol T’ (see page 140). 

From now on, xt, Xpu, Xp, Xs, Xps, Xu, xt are variables of respective sorts 
table, public_key, public_key U private_key, symmetric_key, public_keyU 
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private_key U symmetric_key, user, and function. K, SK and KA will be 
arbitrary terms of T(F) ofresp. sorts public_keyUprivate_key, symmetric_key 
and public_key U private_key U symmetric_key. 

Rewrite system for normalisation. In order to specify the actions performed 
by the principals, T contains some destructors. The decryption function applies 
to a text encrypted with some key, in order to extract its content. It is denoted 
the same way as the encryption function Compound messages can be broken 
into parts using projections 7Ti(_), 7T2(_). Hence the relations it introduces in the 
message algebra are: 



- 


X 


(1) 




X 


(2) 




X 


(3) 


1 

1 

1 


X 


(4) 


7Ti((a:i,a;2)) - 


X\ 


(5) 


T^2i{xi,X2)) - 


X2 


(6) 



The rule (4) does not correspond to a real implementation of the generation 
of private key from public key. However, it is just a technical convenience. The 
terminating rewrite system (1) — (6) is called S'o- K can be easily shown that So 
is convergent [10], hence every message t admits a unique normal form t Isq for 
So- 

We assume from now on that the protocol V is normalised, in the following 
sense. 

Definition 2. A protocol V is called normalised if all the message terms in the 
field messages are in normal form w.r.t. Sq. 

Note that this hypothesis is not restrictive since any protocol V is equivalent to 
the normalised protocol V . 

2.3 Operators on Messages 

We define in this section some functions to be called during the construction of 
the system TZ{V) in Section 2.4. 

Knowledge decomposition. We denote by know{U,i) the information that a 
user U has memorised at the end of the step Si ^ Ri : Mi of the protocol V. 
This information augments incrementally with i\ 

— if C/ is the receiver Ri, then he records the received message Mi as well as 
the sender’s (official) name Si, 

— if [/ is the sender Si, then he records the fresh elements (nonces. . . ) he has 
created for composing Mi (and may use latter), 
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~ in any other case, the knowledge of U remains unchanged. 

The set know{U, i) contains labelled terms V : t G T(F) x T (iF, X). The label 
t keeps track of the operations to derive V from the knowledge of U at the end 
of step i, using decryption and projection operators. This term t will be used 
later for composing new messages. 

The informations are not only memorized but also decomposed with the 
function which is the closure of a set of terms using the following 

four rules: 



infer M 




from 


{M}sk 


: t and SK : t' 


(7) 


infer M 




from 


{M}k : 


t and : t' 


(8) 


infer M 




from 




: t and K : t' 


(9) 


infer Mi : 


TTi{t) 








(10) 


and M 2 : 


TT2{t) 


from 


{Ml, M 2 


) ■ t 


(11) 



The function know{) is defined by: 

know{U, 0) = ({Ti xt,}) 

where knowledge C/ : Ti, . . . , Tfc is a statement of V. 
know{U,i + 1) = know{U,i) if U ^ Si+i and U yf Ri+i 
know{Ri+i,i + 1) = CL^'^~^^^know{U, i) U {M*+i : XMi+^,Sl+^ : 
know{Si+i,i + 1) = ~^^\know{U,i) U {fVi : . . . ,Nk : xn^}) 

where fVi, . . . , iV^ = fresh{Mi+i) 

Example 6. In the symmetric-key version of the Cable TV example (Figure 1), 
we have Ins : {t^ 2 {xm)}k G know{C, 1) where M is the first message and Xm 
gets instantiated during the execution of a protocol instance. 

Message composition. We define now an operator compose{U, M,i) which 
returns a receipt of T(iF, X) for the user U for building M from the knowledge 
gained at the end of step i (hence, C/’s knowledge at the begining of step i -I- 1). 
In that way, we formalise the basic operations performed by a sender when he 
composes the pieces of the message M^+i. In rule (16) below, we assume that 



M is the k^^ nonce created in the message iWi+i. 

compose{U, M,i) =t if M : t G know{U,i) (12) 

compose(U, {Ml, M 2 ) ,i) = (compose{U, Mi,i), compose{U, M 2 ,i)) (13) 

compose {U,{M}k A, i) = { compose (C/, M, (14) 

compose (^U,T [A], i) = compose{U,T,i)[compose{U, A,i)] (15) 

compose (U, M,i) = nonce{sk{xtime)) (16) 

compose{U, M,i) = Fail in every other case (17) 



The cases of the compose{) definition are tried in the given order. Other orders 
are possible, and more studies are necessary to evaluate their influence on the 
behaviour of our system. 
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The construction in case (16) is similar when M is a fresh public key or a 
fresh symmetric key, with respective terms (sfe(a;time)), and SK{sk{xtime))- 

Expected patterns. The term of T(lF, X) returned by the following variant of 
compose{U, M, z) is a filter used to check received messages by pattern matching. 
More precisely, the function expect {U, M, i) defined below is called right after the 



message has been sent by U (hence with U = Si+i = Ri). 

expect{U, M,i) = t if M : t G know{U,i) (18) 

expect (U, {Ml, M 2 ), i) = (^expect{U, Mi,i), expect{U, M 2 ,i)) (19) 

expect {U,{M}K,i) = {expect{U,M,i)} (20) 

expect (U,{M}K-i,i) = {expect{U, M,i)} (21) 
expect{U,{M}sK,i) = (22) 

expect {U,T [A], i) = expect{U,T,i)[expect{U, A,i)] (23) 

expect {U, M, i) = Xu, M,i in every other case (24) 



Note that unless composei), the expect{) function cannot fail. If the call to 
compose{) fails in one of the cases (20)-(22), then the case (24) will be applied. 

Example 7. The pattern expected by C for message 1 (Figure 1, symmetric key 
version) is expect{C,(^D,{Ins}K)A) = {xc,D,i,{xc,ins,i]xK) because C does 
not know H’s name in advance, nor the number Ins, but he knows K. 



2.4 Narrowing Rules for Standard Messages Exchanges 

The global state associated to a step of a protocol instance will be defined as the 

set of messages mi. m 2 sent and not yet read, union the set of expected 

messages wi Wm- 

A sent message is denoted by m{i, s' , s,r,t,c) where z is the protocol step 
when it is sent, s' is the real sender, s is the official sender, r is the receiver, t 
is the body of the message and c is a session counter (incremented at the end of 
each session). 

m : step x iuser x iuser x iuser x text x int — > message 

Note that s and s' may differ since messages can be impersonated (the receiver 
r never knows the identity of the real sender s'). 

A message expected by a principal is signalled by a term w{i, s,r,t,£) with 
similar meaning for the fields z, s, r, t, and c, and where f is a list containing r’s 
knowledge just before step z. 

w : step X iuser x user x text x list_of text x int ^ message 
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Nonces and freshness. We describe now a mechanism for the construction of 
fresh terms, in particular of nonces. This is an important aspect of our method. 
Indeed, it ensures freshness of the randomly generated nonces or keys over several 
executions of a protocol. The idea is the following: nonces admit as argument a 
counter that is incremented at each transition (this argument is therefore the age 
of the nonce) . Hence if two nonces are emitted at different steps in an execution 
trace, their counters do not match. We introduce another term in the global 
state for representing the counter, with the new unary head symbol h. Each 
rewrite rule I ^ r is extended to /i(s(a;time))d ^ h{xtime)-r in order to update 
the counter. Note that the variable Xtime occurs in the argument of nonce () in 
case (16) of the definition of composeQ. 

Rules. The rules set R{V) generated by our algorithm contains (for i = 0..n): 



h{s(^XtiYne)) • 

w{i, xSi,XRi,XMi,tknow{Ri, z), a;c). 
m{i,Xr,XSi,XR.,XMi,c) 

^(^time)- 

to(z + 1, xr^jXr^, compose{Ri, Ri+i,i), compose{Ri, Mi+i, z), c) . 
w(^ki, compose{Ri, Sk^,i),XR^, expect{Ri, Mki,i'),£know{Ri, i'), c') 



where ki is the next step when Ri expects a message (see definition below), and 
£know{Ri,i), £know{Ri,i') are lists of variables described below. 

If z = 0, the term m{i , . . .) is missing in left member, and c = xc. 

If 1 < z < n, then c = xc' (another variable). 

If z = zz, the term m{i , . . .) is missing in right member. 

In every case (0 < z < n), 

if ki > i then z' = z + 1 and c' = xc, 
if ki < i then z' = 0 and c' = s(xc). 

Note that the calls of composeQ may return Fail. In this case, the construction 
of R{V) stops with failure. 

After receiving message z (of content xm,) from Xr (apparently from xs,), 
xr^ checks whether he received what he was expecting (by unification of the 
two instances of xm,), and then composes and sends message z + 1. The term 
returned by compose{Ri, Mi+i,i) contains some variables in the list lknow{Ri, i). 
As soon as he is sending the message z + 1, xr^ gets into a state where he is 
waiting for new messages. This will be expressed by deleting the term w(i, . . .) 
(previously expected message) and generating the term w{ki, . . .) in the right- 
hand side (next expected message) . Hence sending and receiving messages is not 
synchronous (see e.g. [5]). 

The function £know{U,i) associates to a user U and a (step) number z G 
{0..n} a term corresponding to a list of variables, used to refer to the knowledge 
of U. Below, £ :: a denotes the appending of the element a at the end of a list £. 
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£know{U, 0) = {xu, xti , ■ ■ ■ , xt„) 

where knowledge [/ : Ti, . . . , T„ is a statement of V , 
£know(JJ, t + 1) = £know{U, i) if U ^ Rt 

= £know{U, i) :: xmi ■■ xs^ :: rii . :: Uk if U = Ri 
where fresh(Mi) = fVi, . . . , iV^ 

and Hi = XNi if Ni is of sort nonce or symmetric_key, 
and Hi = XNi Xj^-i if Ni is of sort public_key, 

The algorithm also uses the integer kt which is the next session step when 
Ri expects a message. If Ri is not supposed to receive another message in the 
current session then either he is the session initiator Si and ki is reinitialized 
to 0, otherwise ki is the first step in the next session where he should receive a 
message (and then ki < i). Formally, ki is defined for i = 0 to n as follows: 
ki = minjj | j > z and Rj = Ri} if this set is not empty; 

otherwise ki = minjj | j < z and Rj = Ri} (recall that Rq = Si by hypothesis) 

Example 8. In both protocols presented in Figure 1, one has Rq = D, Ri = C, 
i ?2 = D, and therefore: ko = 2, ki = 1, k 2 = 0. 

Lemma 1. k is a bijection from {0, . . . , rz} to {0, . . . , rz}. 

Example 9. The translator generates the following R(V) for the symmetric key 
version of the protocol of Figure 1. For sake of readability, in this example and 
the following ones, the fresh variables are denoted Xi (where z is an integer) 
instead of the form of the case (24) in the definition of expect {). 



h{s{xtime))-w{0,XSo,XD,XMo,{^D,Xc,XK),Xc) 

h{xtime)-m(l, XD, xd, xc , {xd, {nonce{si{xtime))}xK : . 

w(2,xc,xd, {xcjXd, {nonce{si{xtime))}xK)^ 

{xD, xc, XK, XMo,xso,nonce{si{xtime))),xc) (tvsi) 

^(s(a:time))-Zi'(l, XD, xc, XMi , {xc, Xk),Xc). 

m{l,Xr,XD,XC,XMi,Xc) 

h{xtime)-m{2, xc, xc, 7Ti (xMi ), {xc, (^^Mi ) , 7T2 (xMi )),Xc') . 

zc(l, XD, XC, {xD, {xi}xk)j i^C, Xr), s(xc)) (tvS2) 

h(s(xtime))-U>(2, XC, Xd, XM 2 ,(xd,XC, Xk, XMo,XSo,Xlns), Xc) . 
m[2,Xr,XC,XD,XM2,xd) 

h{xtime)-w{ff,XSo,XD,XMo, {x D , Xc , X k) , s{xc)) (tvSs) 



3 Intruder Rules 

The main difference between the behaviour of a honest principal and the intruder 
I is that the latter is not forced to follow the protocol, but can send messages 
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arbitrarily. Therefore, there will be no wQ terms for I. In order to build messages, 
the intruder stores some information in the global state with terms of the form 
t(), where z is a new unary function symbol. The rewriting rules corresponding 
to the various intruder’s techniques are detailed below. 

The intruder can record the information aimed at him, (25). If divert is selected 
in the field intruder, the message is removed from the current state (26), but 
not if eaves_dropping is selected (27). 



TTlyXi., Xwi Xin 
m{xi,Xu,Xu,x 
m{xi,Xu,Xu,x 



/, X, xc) - 


i{x).i{xu) 


(25) 


'u^x,xc) - 


i{x).i{xu)-i{x'^) 


(26) 


U,X,XC) - 


m{xi, Xu, Xu, x'u, X, xc).i{x).i{xu)-i{xu) 


(27) 



After collecting information, / can decompose it into smaller z() terms. Note 
that the information which is decomposed {e.g. (xi,X 2 )) is not lost during the 
operation. 



z((a;i,a;2)) 


i({xi,X2))-i(xi).i(x2) 


(28) 






(29) 




i({a:i}a;J-z(a:s).z(a;i) 


(30) 




^ i{{xi}x-^)-i{^v)-i{xi) 


(31) 


I is then able to reconstruct terms 


as he wishes. 




z(a;i).z(a;2) ^ 


z(a;i).z(a;2).z((a;i,a:2)) 


(32) 


i{xi).i{xps) 


z(a;i).z(a;ps).z({a;i}a;pj 


(33) 


i{xf).i{x) 


i{xf) .i{x) .i{xf{xy) 


(34) 


i{xt).i{xu) 


i{xt).i{xu)-i{xt [xu]) 


(35) 


I can send arbitrary messages in his own name. 




i{x).i{xu) i(x).i(xu 


,).m{j,I,I,Xu,x,0) j<n 


(36) 



If moreover impersonate is selected, then / can fake others identity in sent 
messages. 

i{x).i{xu).i{x'^) ^ i{x).i{xu).i{x'^).m{j,I,Xu,x'^,x,0) j<n (37) 



Note that the above intruder rules are independent from the protocol V in con- 
sideration. The rewrite system of the intruder (25)-(37) is denoted X. 



4 Operational Semantics 

4.1 Initial State 

After the definition of rules of R{V) and I, the presentation of an operational 
“state/transition” semantics of protocol executions is completed here by the 
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definition of an initial state tinit{V). This state is a term of the form w{. . .) 
containing the patterns of the first messages expected by the principals, and 
their initial knowledge, for every session instance. 

We add to the initial state term a set of initial knowledge for the intruder I. More 
precisely, we let tinit{V) := tinit{V) .i{vi) . . .i{vn) if the field intruder_knowledge: 
t>i, . . . , Vn', is declared in V. 



Example 10. The initial state for the protocol of Figure 1 (symmetric key ver- 
sion) is: tinit{V) := h{xtime)-w{ 0 ,xi,tv,X 2 , {tv, scar d, key), X) 

■w{l, X 3 , scard, {x^, {x^key), {scard, key) ,X d{scard) 



4.2 Protocol Executions 

Definition 3. Given a ground term to and rewrite systems R, S the set of exe- 
cutions EXEC {to, R, S) is the set of maximal derivations to '^r,s t\ '^r,s ■ ■ ■ 

Maximal! ty is understood w.r.t. the prefix ordering on sequences. The normal 
executions of protocol V are the elements of the set 



EXEC XV) := EXEC{tinit{V),R{V),So) 

Executions in the presence of an intruder are the ones in 



EXEC,{V) := EXEC'(ti„it(P),i?(P) UX,5o) 



4.3 Executability 

The following Theorem 1 states that if the construction of R{V) does not fail, 
then normal executions will not fail (the protocol can always run and restart 
without deadlock). 

Theorem 1. IfV is normalised, the field session_instance ofV contains only 
one declaration, and the construction of R{V) does not fail on V, then every 
derivation in EXEC n{V) is infinite. 

Theorem 1 is not true if the field session_instance of V contains at least 
two declarations, as explained in the next section. Concurrent executions may 
interfere and enter a deadlock state. 



4.4 Approximations for Intruder Rules 

Due to the intruder rules of Section 3 the search space is too large. In par- 
ticular, the application of rules (32)-(33) is obviously non-terminating. In our 
experiences, we have used restricted intruder rules for message generation. 
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Intruder rules guided by expected messages. The first idea is to change 
rules (36)-(37) so that / sends a faked message m(f, /, x) only if there 

exists a term of the form w{i, x^x'^, x, xe, xc) in the global state. More precisely, 
we replace (36), (37) in X by, respectively, 

i{x).i{xu).w{j, I, Xu,x, Xi, xc) 

i(x).i(xu).w(j,l,xu,x,xe,xc).m(j,l,l,xu,x,0) where j < n (36') 

i{x).i{xu).i{x'^).w{j, Xu, x'^, X, xi, xc) 

i{x).i{xu).i{x'^).w{j,xu,x'^,x,xi,xc).m{j,l,xu,x'^,x,0) where j <n (37') 

The obtained rewrite system is called 

This approximation is complete: every attack in EXEC t{V) exists also in 
the trace generated by the modified system, indeed, the messages in a trace 
of EXECi{V) and not in EXEC {tinit{V), R{V) UX^^Sq) would be rejected by 
the receiver as non-expected or ill-formed messages. Similar observations are 
reported independantly in [32]. Therefore, there is no limitation for detecting 
attacks with this simplification (this strategy prunes only useless branches) but 
it is still inefficient. 

Rules guided approximatiou. The above strategy is improved by deleting 
rules (32)-(35) and replacing each rules of (36’), (37’) new rules (several for each 
protocol message), such that a sent message has the form m(z, /, x„, t, 0), 
where, roughly speaking, t follows the pattern Mi where missing parts are filled 
with some knowledge of I. Formally, we define a non-deterministic unary oper- 



ator * : T(F) ^ T{E,X). 

(Ml , M 2 )* = (Ml* , M 2 * ) (38) 

{M}), = {M*}k. (39) 

F{M)*=xf{M*) \xf^m) (40) 

T[.4]* = xt[xa] I xt[a] (41) 



ID* = xiD if ID is a nullary function symbol of F (42) 

Given T G T(F) we denote skel{T) the set of possible terms for T*. Then, we 
replace (36'), (37') in X by, 

for each j G l..n, for each t G skel{Mj), for each distinct identifier A of sort 
user, let {x\, . . . ,Xm} = Var{t) U {xA,xSi,XRl\ (no variable occurrence more 
than once in the sequence a;i, . . . , Xm)'- 

i{xi) i{xra)-w{i, xs,,xr, , X, xg, xc) 

i{xi) i{xm)-w{i, xSijXR^ ,X,XI, xc).m{i, I, /, xa, t,0) (36") 

and, if impersonate is selected in the field intruder of V, by: for each i G 
l..n, for each t G skel{Mi), for each distinct identifiers A,B of sort user, let 
{xi , . . . , Xm }= Var{t)c {xAjXBjXSi,XR,}: 

i{xi) i{xm)-w{i, xsi , xr„x, Xi, xc) 

i{xi) i{xm)-w{i, xsi , xr^,x, XI, xc).m{i, I, xa, xrA, 0) (37") 
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Because of deletion of rules (32)-(35), one rule for public key decryption with 
tables needs to be added: 

-lixu) .i{xp) .i{xu) .i{xi) (43) 

The obtained system depends on V. Note that this approximation is not 
complete. However, it seems to give reasonable results in practice. 



5 Flaws 

In our state/transition model, a flaw will be detected when the protocol execution 
reaches some critical state. We define a critical state as a pattern tgoaii'P) € 
T(iF, A'), which is constructed automatically from the protocol P. The existence 
of a flaw is reducible to the following reachability problem, where a can be either 
i or n: 

3to, . . . , fgoai(T’)(7 G EXEC aiV) for some substitution a 



5.1 Design Flaws 

It may happen that the protocol fails to reach its goals even without intruder, i.e. 
only in presence of honest agents following the protocol carefully. In particular, it 
may be the case that there is an interference between several concurrent runs of 
the same protocol: confusion between a message m(i , . . .) from the first run and 
another m{i , . . .) from the second one. An example of this situation is given in 
Appendix A. The critical state in this case is: (recall that xc and xE correspond 
to session counters) 

fgoal(T’) := w{i,Xs,Xr,Xm,Xl,Xc).m{i,Xs',Xs,Xr,Xm,Xc').[xC ^ xE\ 

where \xc yf xd\ is a constraint that can be checked either by extra rewrite rules 
or by an internal mechanism as in daTac. 

5.2 Attacks, Generalities 

Following the classification of Woo and Lam [36], we consider two basic secu- 
rity properties for authentication protocols: secrecy and correspondence. Secrecy 
means that some secret information {e.g. a key) exchanged during the protocol 
is kept secret. Correspondence means that every principal was really involved in 
the protocol execution, i.e. that mutual authentication is ensured. The failure 
of one of these properties in presence of an intruder is called a flaw. 

Example 11. The following scenario is a correspondence attack for the symmetric 
key version of the cable tv toy example in Figure 1: 

1. D^I{C):{D,{Ins}K) 

2. /(C)^ D : {C,D,{Ins}K) 
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Following the traditional notation, the I{C) in step 1 means that I did divert 
the first message of D to C. Note that this ability is selected in Figure 1. It may 
be performed in real world by interposing a computer between the decoder and 
the smartcard, with some serial interface and a smartcard reader. The sender 
I{C) in the second message means that C did impersonate C for sending this 
message. Note that / is able to reconstruct the message of step 2 from the 
message he diverted at step 1, with a projection tti to obtain the name of D 
and projection 7T2 to obtain the cipher {Ins\K and his initial knowledge (the 
name of the smartcard). Note that the smartcard C did not participate at all 
to this protocol execution. Such an attack may be used if the intruder wants to 
watch some channel x which is not registered in his smartcard. See [1] for the 
description of some real-world hacks on pay TV. 

A secrecy attack can be performed on the public key version of the protocol 
in Figure 1. By listening to the message sent by the decoder at step 1, the 
intruder (with eaves_dropping ability) can decode the cipher {Ins}T[D]-^ since 
he knows the public key T[D], and thus he will learn the secret instruction Ins. 
Note that there was no correspondence flaw in this scenario. 



5.3 Secrecy Attack 

Definition 4. We say that a principal U of V shares a (secret) identifier N if 
there exists j and t such that N : t G know{U,j). 

In the construction of R{V), we say that the term t = compose{U, M, j) is 
hound to M. 

Definition 5. An execution to,... G EXECfiV) satisfies the secrecy property 
iff for each j, tj does not contain an instance of fit) as a subterm, where t is 
hound to a term N declared in a field goal : secrecy of N ofV. 

To define a critical state corresponding to a secrecy violation in our semantics, 
we add a binary function symbol secret (_, _) to T, which is used to store a term 
t (nonce or session key) that is bound to some data N declared as secret in V, 
by secrecy.of N . If this term t appears as an argument of i(_), and / was not 
supposed to share t, then it means that its secrecy has been corrupted by the 
intruder I. 

We must formalise the condition that “/ was not supposed to share t”. 
For this purpose, we add a second argument to secretfi, f) which is a term of 
"^({■5)1) • • • ) fc})) corresponding to the the value of a session counter, where k 
is the number of fields session_instance : I in V. Let C = {1, To 

each field session_instance in V is associated a unique constant in C by the 
protcedure described in Section 4.1. Let J C he the set of session instances 
where I has not the role of a principal that shares N. 

The critical state tgoai('P) is any of the terms of the set: 



{fix).secret{x, /(c))}cey 
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The auxiliary unary function symbol /(_) scrapes off the s(. . .) context in the 
values of session counters, using the following rewrite rule (added to 5 q): 

f(s{x)) f{x) (44) 

The storage in secret^-,-) is performed in the rewrite rule for constructing 
the message Mi+i where N appears for the first time. More precisely, there is 
a special construction in the rewrite rule for building M^+i.The binding to the 
secret TV is a side effect of the recursive call of the form compose{U, N,i). The 
i**' rule constructed by our algorithm (page 142) will be in this case: 

^(^(:^time)) ■ 

w{i, xSi,XR^,XMi , £know{Ri, i), xc). 
m{i, Xr, XSi , Xr^ , XMi , xd) 

{ k(xtime') • 

m{i + 1, xr^,xr^ , compose{Ri, Ri+\,i), compose{Ri, M^+i, z), xd). 
w{ki, compose{Ri, Ski,i),XR^, expect{Ri, Mfc,, z'), £', c'). 
secret{t, f{xd)) 

Example 12. The rules generated for the protocol of Figure 1, public key version, 
are: 

/i(s(a;time))-w(0, XSo.Xd, XMo, {xd, xc, XT, XT[D]-^),xd) 

h{xtime)-m{l, XD, xd,xc, {xd, {nOnCe{si{xtime))}xTiD]-l) ’ ^c). 
w{2,xc,xd, {xc,xd, {nonce{si{xtime))}xi), 

{x O , Xc , XT , Xt^C^ — ^ , XjcIq , XRq , TLOTlCe{^S\ (3:time ))) , Xcj 
secret{nonce{si{xtime)), f{xc)) (tvpi) 

/i(s(a;time))-w(l, Xd,XC, XMi , {xc, XT, Xt[C]-^), xc) . 

m{l,Xr,XD,XC,XMi,xd) 

h{xtime)-m{2, xc, xd,tti {xmi), {xc, TTi {xmi),tt 2 {xmi )) , xd) . 

w{l, Xi,xui , {xi,{x2\xk), {xc, XT, o:t[c] “ i ) > s(a^c)) (tvp 2 ) 

/z(s(xtime) ) - ^ (2, XC , X R j XM 2 , {xd , XC , XT , Xt[D]~^ , XMq , XSq , XjrLs) ,Xc). 

m[2,Xr,XC,XD,XM2,xd) 

h{xtime)-w{0, XSo,Xd,XMo, {xd, XC, Xt , Xt[D]~-^), s(xc)) (tvpg) 

Note the term secret(nonce(si(xtime)), xc) in rule (tvpj^). As described in 
Example 11, it is easy to see that this protocol has a secrecy flaw. A subterm 
secret(nonce(x), l).i(nonce(x)) is obtained in 4 steps, see appendix C. 



5.4 Correspondence Attack 

The correspondence property between two users U and V means that when U 
terminates its part of a session c of the protocol (and starts next session s(c)), 
then V must have started his own part, and reciprocally. In Definition 6, we use 
the notation firsts(C/) = min{z I Si = U}, assuming min(0) = 0. 
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Definition 6. An execution to,... G EXECi{V) satisfies the correspondence 
property between the (distinct) users U and V iff for each j, tj does not contain 
a subterm matching: 

w(firsts(C/) - a;t,a;^,s(xc)).w(firsts(V^) - l,x'g,x),x[,x),Xc) 

or w(firsts(R) - 1, u, a;*, s(a;c)).w(firsts(C/) - 1, a:'^, a;^, a:';, a:^, a;c), 

where U : u and V : v occur in the same line of the field sessionAnstance. 

The critical state tgoai(’T^) is therefore any of the two above terms in Defini- 
tion 6. Again, these terms are independent from V . 

Example 13. A critical state for the protocol in Figure 1, symmetric key version, 
is: tgoai(’P) := w{Q,xi,tv,XMnXi^,xc).w{l,X 2 ,scard,XM- 2 iXi^,s{xc)) 

5.5 Key Compromising Attack 

A classical goal of cryptographic protocols is the exchange between two users A 
and B of new keys - symmetric or public keys. In such a scenario, A may propose 
to B a new shared symmetric key K or B may ask a trusted server for A’s public 
key K, see Section 5.6 below for this particular second case. In this setting, a 
technique of attack for the intruder is to introduce a compromised key K': I 
has built some key K' and he let B think that K' is the key proposed by A or 
that this is A’s public key for instance (see Example 14 for a key compromising 
attack). The compromising of K may be obtained by exploiting for instance a 
type flaw as described below. Such an attack is not properly speaking a secrecy 
attack. However, it can of course be exploited if later on B wants to exchange 
some secret with A using K (actually the compromised K'). 

Therefore, a key compromising attack is defined as a secrecy attack for an 
extended protocol V obtained from a protocol V of the above category as follows: 

1. declare a new identifier A : number; 

2. add a rule: n + 1. B ^ A : {X}k where n is the number of messages in V 
and K is the key to compromise, 

3. add the declaration goal : secrecy_of A; 

5.6 Binding Attack 

This is a particular case of key compromising attack, and therefore a particular 
case of secrecy attack, see Section 5.5. It can occur in protocols where the public 
keys are distributed by a trusted server (who knows a table K of public keys) 
because the principals do not know in advance the public keys of others. In some 
case, the intruder / can do appropriate diverting in order to let some principal 
learn a fake binding name - public key. For instance, I makes some principal B 
believe that Ps public key K[I] is the public key of a third party A (binding 
A-K[I]). This is what can happen with the protocol SLICE/AS, see [7]. 
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5.7 Type Flaw 

This flaw occurs when a principal can accept a term of the wrong type. For 
instance, he may accept a pair of numbers instead of a new symmetric key, when 
numbers, pair of numbers and symmetric keys are assumed to have the same 
type. Therefore, a type flaw refers more to implementation hypotheses than to 
the protocol itself. Such a flaw may be the cause of one of the above attack, 
but its detection requires a modification of the sort system of T . The idea it to 
collapse some sorts, by introducing new sorts equalities. For instance, one may 
have the equality symmetric_key = text = number. By definition of profiles of 
{_}_ and ciphers and pairs are in this case numbers, and be accepted as 
symmetric_key. 

Example 14- A known key compromising attack on Otway-Rees protocol, see [7], 
exploits a type flaw of this protocol. We present here the extended version of 
Otway-Rees, see Section 5.5. 

protocol Ottway Rees 

identifiers 

A, B, S : user; 

Kas,Kb,s,Kab ■ symmetric_key; 

M, Na, Nb, X : number; 



messages 



1. 


A- 


-^B:{ 


M,A,B,{Na, 


M,A,B}k, 


IS ^ 


2. 


B - 


-^S :{ 


M,A,B,{Na, 


M,A,B}k, 




3. 


S- 


^B-.{ 


M,{Na,Kab} 


Kas A^b, Kab] Kts) 


4. 


B 


A : < 


M,{Na,Kab} 


Kas) 




5. 


A- 


^B-.\ 


X}xab 





knowledge 

A:B,S,Kas; 

B : S,Kbs] 

S : A,B,Kas,Kbs; 

session.instance [A : a, B : b, S : s,kas ■ kas,Kbs ■ kts]', 
intruder : divert , impersonate; 
intruder_knowledge : ; 
goal : secrecy_of X; 

The symmetric keys Kas and Kbs are supposed to be only known by A and S, 
resp. B and S. The identifiers M, Na, and Nb re nonces. The new symmetric 
Kab is generated by the trusted server S and transmitted to B and indirectly to 
A, by mean of the cipher {TVa, Kab} Kas- 

If the sorts numbers, text, and symmetric_key are assumed to collapse, then 
we have the following scenario: 

1. A^I{B):(M,A,B,{Na,M,A,B}Kas) 

4. /(R)^ A : (M,{Na,M,A,B}Kas) 

5. A ^ 1(B) : {X}^m,a,b) 
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In rule 1, / diverts (and memorises) ^’s message. In next step 4, I impersonates 
B and makes him think that the triple {M, B) is the new shared symmetric 
key Kab- We recall that is right associative and thereafter (Na,M,A,B) 
can be considered as identical to {Na, {M,A,B)) 

6 Verification: Deduction Techniques and Experiments 

We have implemented the construction of R(V) in OCamI® and performed ex- 
periments using the theorem prover daTac [33] with paramodulation modulo AC. 
Each rule I r € R(V) is represented as an oriented equation I = r, the initial 
state is represented as a unit positive clause P{tinit{'P)) and the critical state 
as a unit negative clause -^P{tgoai{'P)) ■ 

As for multiset rewriting [8], an ac-operator will take care of concurrency. On 
the other hand unification will take care of communication in an elegant way. 
The deduction system combines paramodulation steps with equational rewriting 
by 5o. 

6.1 Deduction Techniques. Generalities 

The main deduction technique consists in replacing a term by an equal one in 
a clause: given a clause I = r V C' and clause C[l'], the clause (C' V C[r])a is 
deduced, where cr is a unifier of I and I' , that is a mapping from variables to 
terms such that la is equal to I'a. 

This deduction rule is called paramodulation. It has been introduced by 
Robinson and Wos [27] . Paramodulation (together with resolution and factoring) 
was proved refutationally complete by Brand [6] who also shown that applying 
a replacement in a variable position is useless. 

For reducing the number of potential deduction steps, the paramodulation rule 
has been restricted by an ordering, to guarantee it replaces big terms by smaller 
ones. This notion of ordered paramodulation has been applied to the Knuth- 
Bendix completion procedure [16] for avoiding failure in some situations (see 
[14] and [2]). A lot of work has been devoted to putting more restrictions on 
paramodulation in order to limit combinatorial explosion [23] . 

In particular paramodulation is often inefficient with axioms such as asso- 
ciativity and commutativity since these axioms allow for many successful unifi- 
cations between their subterms and subterms in other clauses. Typically word 
problems in finitely presented commutative semigroups cannot be decided by 
standard paramodulation. This gets possible by building the associativity and 
commutativity in the paramodulation rule using the so-called paramodulation 
modulo AC and rewriting modulo AC rules. 

The integration of associativity and commutativity axioms within theorem- 
proving systems has been first investigated by Plotkin [26] and Slagle [31]. Rusi- 
nowitch and Vigneron [29] have built-in this theory in a way that is compatible 
with the ordered paramodulation strategy and rewriting and preserves refuta- 
tional completeness. These techniques are implemented in the daTac system [33]. 
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Another approach has been followed by Wertz [35] and Bachmair and Ganzinger 
[3] , consisting of using the idea of extended clauses developed for the equational 
case by Peterson and Stickel [25] . 

In all the approaches, the standard unification calculus has to be replaced 
by unification modulo associativity and commutativity. This may be very costly 
since some unification problems have doubly exponentially many minimal solu- 
tions [12]. 



6.2 Deduction Rules for Protocol Verification 



We present here the version of paramodulation we have applied for simulating 
and verifying protocols. States are built with the specific ac-operator for rep- 
resenting the multiset of information components: sent and expected messages, 
and the knowledge of the intruder. 

The definition of our instance of the paramodulation rule is the following. 



Definition 7 (Paramodulation). 

l.z and V , and z is a new variable. 



l = r P{1') 

P{r.z)a 



if a is an ac-unifier of 



This rule is much simpler than the general one in [29]. We only need to apply 
replacements at the top of the term. In addition the equations are such that the 
left-hand side is greater than the right-hand side and each clause is unit. So we 
do not need any strategy for orienting the equations or selecting a literal in a 
clause. 

In the verification of protocols, we encounter only simple unification prob- 
lems. They reduce to unifying multisets of standard terms, where one of the 
multisets has no variable as argument of ” .” . Only one argument of the other 
multiset is a variable. Hence for handling these problems we have designed a 
unification algorithm which is more efficient than the standard ac-unification 
algorithm of daTac. 

Let us illustrate this with an example. 



Example 15. For performing a paramodulation step from f{xi).g{a) = c into 
P{a.g{x 2 ).f{b).h{xs)), trying to unify f{xi).g{a) and a.g{x 2 ).f{b).h{xz) will not 
succeed. We have to add a new variable in the left-hand side of the equation 
for capturing the additional arguments of the ac-operator. The unification prob- 
lem we have to solve is f{xi).g{a).z a.g{x 2 ).f{b).h{xz). Its unique solution 
cr is {x\ ^ b,X 2 ^ a, z ^ a.h^xs)}. The deduced clause is P{c.z)a, that is 
P{c.a.h{x 3 )). 

The paramodulation rule is used for generating new clauses. We need a rule for 
detecting a contradiction with the clause representing the goal. 

Pit) ^P{t') 



Definition 8 (Contradiction). 

t and t' . 



□ 



if a is an ac-unifier of 
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In addition to these two deduction rules, we need to simplify clauses by term 
rewriting, using equations of Sq (rewrite rules (l)-(6)). For this step we have to 
compute a match ct of a term I into I' , that is a substitution such that la = V . 



Definition 9 (Simplification). 

r. 



pm) 

P{t[ra]) 



if a is a match of I into 



Applying this rule consists in replacing the initial clause by the simplified one. 



6.3 Deduction Strategy 

We basically apply a breadth first search strategy. The compilation of the pro- 
tocol generates four sets of clauses: 

(0) the rewrite rules of Sq] 

(1) the clauses representing transitions rules (including intruder’s rules); 

(2) the clause representing the initial state, P{tinit{P))', 

(3) the critical state (^F’(tgoai(T’))); 

The deduction strategy used by daTac is the following: 

Repeat: 

Select a clause C in (2), C contains only a positive literal 
Repeat: 

Select a clause D in (1), D is an equation I = r 
Apply Paramodulation from D into C\ 

Compute all the most general ac-unifiers 
For each solution a, 

Generate the resulting clause C a 
Simplify the generated clauses: 

For each generated clause C a, 

Select a rewrite rule I ^ r vci (0) 

For each subterm s in C a, 

If s is an instance l(j> oil 
Then Replace s by rcj) in C a 
Add the simplified generated clauses into (2) 

Try Contradiction between the critical state and each new clause: 

If it applies. Exit with message ’’contradiction found”. 

Until no more clause to select in (1) 

Until no more clause to select in (2) 

Note that any derivation of a contradiction □ with this strategy is a linear 
derivation from the initial state to the goal and it can be directly interpreted as 
a scenario for a flaw or an attack. 
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6.4 Results 

The approach has been experimented with several protocols described in [7]. We 
have been able to find the known flaws with this uniform method in several pro- 
tocols, in less than 1 minute (including compilation) in every case, see Figure 2. 



Protocol 


Description 


Flaw 


Intruder abilities 


Encrypted 
Key Exchange 


Key distribution 


Correspondence 

attack 


divert 

impersonate 


Needham 
Shroeder 
Public Key 


Key distribution 
with 

authentication 


Secrecy attack 


divert 

impersonate 


Otway Rees 


Key distribution 
with trusted 
server 


Key compromising 
= secrecy attack 
type flaw 


divert 

impersonate 


Shamir 

Rivest 

Adelman 


Transmission of 
secret 

information 


Secrecy attack 


divert 

impersonate 


Tatebayashi 

Matsuzaki 

Newman 


Key distribution 


Key compromising 
= secrecy attack 


eaves -dropping 
impersonate 


Woo and Lam 

n 


Authentication 


Correspondence 

attack 


divert 

impersonate 



Fig. 2. Experiments 



See http : //www. loria.fr/equipes/protheo/SOFTWARES/CASRUL/ for more de- 
tails. 



7 Conclusion 

We have presented a complete, compliant translator from security protocols to 
rewrite rules and how it is used for the detection of flaws. The advantages of our 
system are that the automatic translation covers a large class of protocols and 
that the narrowing execution mechanism permits to handle several aspects like 
timeliness. A drawback of our approach is that the produced rewrite system can 
be complex and therefore flaw detection gets time-consuming. However, simplifi- 
cations should be possible to shorten derivations. For instance, composition and 
reduction with rules Sq may be performed in one step. 

The translation can be directly extended for handling key systems satisfying 
algebraic laws such as commutativity (cf. RSA) . It can be extended to other kinds 
of flaws: binding, typing... We plan to analyse E-commerce protocols where our 
management of freshness should prove to be very useful since fresh data are 
ubiquitous in electronic forms (order and payment e.g.). We plan to develop a 
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generic daTac proof strategy for reducing the exploration space when searching 
for flaws. We also conjecture it is possible to modify our approach in order to 
prove the absence of flaws under some assumptions. 
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Appendix A: Design Flaws 



Example 16. 



identifiers 



messages 



knowledge 



session.instance 



M, B, C : user; 

0. N : number; 

KhjKc : public_key; 
hash : function; 

1. M^C :{0}k^ 

2. C ^ M : {B,{N}K„hash{N)) 

5. M ^ B : {N}K„hash{0) 

4. B ^ M : ^hash(^hash{N), hash{0))'^ 

C : B, Kb, hash; 

M : C,0, Kc, Kb, hash; 

B : Kb, K^^ , hash; 

[M : Merchant, B : Bank, C : Customer, 
O : car, Kb : kb, Kc : kc] 

[M : Merchant, B : Bank, C : Customer, 
O : peanut, Kb '■ kb, Kc : kc\ 



This is a flawed e-commerce protocol. While browsing an online commerce site, 
the customer C is offered an object O (together with an order form, price infor- 
mation etc) by merchant M . Then, C transmits M a payment form N with his 
bank account information and the price of O, in order for M to ask directly to 
C’s bank B for the payment. For confidentiality reasons, M must never read the 
contents of N, and B must not learn O. Therefore, O is encrypted in message 
1 with the public key Kc of C. Also, in message 2, N is transmitted by C to 
M in encrypted form with the bank’s public key Kb and in the form of a digest 
computed with the hash one-way function. Then M relays the cipher {N}Kt 
to B together with a digest of O. The bank B makes the verification for the 
payment and when it is possible, gives his certificate to M in the form of a dual 
signature. 

The problem is that in message 2, there is no occurrence of O, so there may 
be some interference between two executions of the protocol. Imagine that C 
is performing simultaneously two transactions with the same merchant M . In 
the two concurrent execution of the protocol, M sends 1. M ^ C : {car}Kc 
and 1. M ^ C : {peanut} K c- C will reply with two distinct corresponding 

payment forms (the price held will vary) 2. C ^ M : {B, {Ncar}Kbi hash(Ncar)) 
and 2. C ^ M : {B,{Npeanut}Kb,hash{Npeanut))- But after receiving these 

two messages, M may be confused about which payment form is for which offer 
(recall that M can not read Near and N peanut), and send the wrong requests to B: 
3. M ^ B : {Near} Kb, hash{peanut) and 3. M ^ B : {N peanut} Kbihash{car). 
If the bank refuses the payment of Near but authorises the one of N peanut, it 
will give a certificate for buying a car and paying peanuts! Fortunately for M , 
the check of dual signature (by M) will fail and transaction will by aborted, but 
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there is nevertheless a serious interference flaw in this protocol, that can occur 
even only between two honest agents (without an intruder). 



Appendix B: A Correspondence Attack 

Trace obtained by daTac of a correspondence attack for the symmetric key TV 
protocol (Figure 1). 



tiniti'P) — 

h{xi).w{0, X2, tv, X3, {tv, scard, key),l) 

,w{l, X4, scard, {x4, {x^}key), {scard, key),X) 

.i{scard) 

'^(tvsi) 

h{xi).m{l, tv, tv, scard, {tv, {nonce{xi)}key) 

■w{2, scard, tv, {scard, tv, {nonce{xi)} key) , {tv, scard, key, X2, nonce{xi)) 
■w(l, X3, scard, {xs, {x4\key), {scard, key),X) 

.i{scard) 

'^(26) 

h{x\).w{2, scard, tv, {scard, tv, {nonce{xi)} key) , {tv, scard, key, X2, nonce{xi)),l) 
,w{l, X3, scard, {xs, {x4\key), {scard, key),V) 

.i{tv) .i{scard) .i{{tv , {nonce{xi)} key)) 

'^(28) 

h{x\).w{2, scard, tv, {scard, tv, {nonce{xi)} key) , {tv, scard, key, X2, nonce{xi)) 
■w(l, X3, scard, {x^, {x4\key), {scard, key),V) 
.i{tv).i{scard).i{{nonce{xi)}key) 

'^(37) 

h{xi).m{2, 1, scard, tv, {scard, tv, {nonce{x\)} key) 

■w{2, scard, tv, {scard, tv, {nonce{x\)}key) , {tv, scard, key, X2, nonce{xi)),V) 
■w(l, X3, scard, {X3, (x4}key), {scard, key),X) 

.i{scard) .i{tv) .i{{nonce{xi)} key) 

'^(tvsa) 

h{xi).w{Q, X2, tv, X3, {tv, scard, key), s(l)) 

.w(l,a;3, scard, {X3, {x4\key), {scard, key),X) 
.i{scard).i{tv).i{{nonce{s{xi))}key) 

One subterm (of the last term) matches the pattern tgoaKT")- 
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Appendix C: A Secrecy Attack 

Trace obtained by daTac of a secrecy attack for the public key TV protocol 
(Figure 1). 

tiniti'P) = 

h{xi).w{ 0 , X 2 , tv, X 3 , {tv, scard, key, key[tv]~^) 

.w(l, X 4 , scard, {xa, X 5 }, {scard, key, key[scard]~"^) ,V) 

.i{key) 

h{xi).m{l, tv, tv, scard, {tv, {nonce{xi)} 

■w{ 2 , scard, tv, {scard, tv, {nonce{x\)} , 

{tv, scard, key, key[tv]~"^ ,X 2 ,x^, nonce{xi)) 

■w(l, xa, scard, {xa, x^), {scard, key, key[scard]~"^) ,X) 

.secret{nonce{xi) , /(!)) 

.i{key) 

'^(27) 

h{xi).m{l, tv, tv, scard, {tv, {nonce{xi)} key[tv]-^) 

■w{ 2 , scard, tv, {scard, tv, {nonce{xi)} ^^.y^tv]-'^) ^ 

{tv, scard, key, key[tv]~"^ ,X 2 ,x^, nonce{xi)) 

■w(l, Xa, scard, {xa, x^), {scard, key, key[scard]~"^) ,V) 

.secret{nonce{xi) , /(!)) 

.i{key) .i{tv) .i{scard) .i{{tv , { nonce (a:i)}fcey [to] - 1 )) 

'^(28) 

h{xi).m{l, tv, tv, scard, {tv, {nonce(a:i)}fcey[to]-i)j 1 ) 

■w{ 2 , scard, tv, {scard, tv, {nonce(a;i)}^;gy[i„]-i), 

{tv, scard, key, key[tv]~"^ ,X 2 ,x^, nonce{xi)) ,X) 

.w(l, Xa, scard, {xa, x^), {scard, key, key[scard]~"^) ,X) 

.secret{nonce{xi) , /(!)) 

.i{key) .i{tv) .i{scard) .i{{nonce{xi)} i^gy^tv]-^) 

'^(35) 

h{xi).m{l, tv, tv, scard, {tv, {nonce(a:i)}fcgy[t„]-i), 1 ) 

■w{ 2 , scard, tv, {scard, tv, {nonce{xi)} j^^y^tv]-^) ^ 

{tv, scard, key, key[tv]~"^ ,X 2 ,x^, nonce(a:i)), 1 ) 

■w(l,a: 4 , scard, {xa,x^), {scard, key, key[scard]~"^) ,X) 

.secret{nonce{xi) , /(!)) 

.i{key) .i{tv) .i{scard) .i{{nonce{xi)} i^gy^tv]-^) ■i{ks.y[tv\) 

'^(31) 

h{xi).m{l, tv, tv, scard, {tv, {nonce(a:i)}fcgj,[i„]-i), 1) 

■w{ 2 , scard, tv, {scard, tv, {nonce(a;i)};i;gj,[i„]-i), 

{tv, scard, key, key[tv]~"^ ,X 2 ,x^, nonce{xi)) ,X) 

■w(l, Xa, scard, {xa, x^), {scard, key, key[scard]~"^) ,X) 

.secret{nonce{xi) , /(!)) 

.i{key) .i{tv) .i{scard) .i{{nonce{xi)} i^gy^tv]-^) -iV^syltv]) ■i{nonce{xi)) 

The subterm secret{nonce{xi) , f {X}) ■i{nonce{xi)) matches the pattern tgoaKT*). 
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Abstract. We allow equations in binary decision diagrams (BDD). The 
resulting objects are called EQ-BDDs. A straightforward notion of re- 
duced ordered EQ-BDDs (EQ-OBDD) is defined, and it is proved that 
each EQ-BDD is logically equivalent to an EQ-OBDD. Moreover, on EQ- 
OBDDs satisfiability and tautology checking can be done in constant 
time. 

Several procedures to eliminate equality from BDDs have been reported 
in the literature. Typical for our approach is that we keep equalities, and 
as a consequence do not employ the finite domain property. Furthermore, 
our setting does not strictly require Ackermann’s elimination of function 
symbols. This makes our setting much more amenable to combinations 
with other techniques in the realm of automatic theorem proving, such 
as term rewriting. 

We introduce an algorithm, which for any propositional formula with 
equations finds an EQ-OBDD that is equivalent to it. The algorithm 
has been implemented, and applied to benchmarks known from litera- 
ture. The performance of a prototype implementation is comparable to 
existing proposals. 



1 Introduction 

Binary decision diagrams (BDDs) [5,6,12] are widely used for checking satisfia- 
bility and tautology of boolean formulae. Applications include hardware verifi- 
cation and symbolic model checking. Every formula of propositional logic can be 
efficiently represented as a BDD. BDDs can be reduced and ordered, which in 
the worst case requires exponential time, but for many interesting applications 
it can be done in polynomial time. The reduced and ordered BDD (OBDD) 
is a unique representation for boolean formulae, so satisfiability, tautology and 
equivalence on OBDDs can be checked in constant time. 

Much current research is done on extending the BDD techniques to formulae 
outside propositional logic. In principle, the boolean variables can be general- 
ized to arbitrary relations. The goal now is to check satisfiability or validity of 
quantifier free formulae in a certain theory. The main example is the logic of 
equality and uninterpreted function symbols (EUF) [10,7,16]. Another example 
is the logic of difference constraints on integers or reals [13]. 



M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 161—178, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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EUF formulae have been successfully applied to the verification of pipelined 
microprocessors [8,7] and of compiler optimizations [16]. In these applications, 
functions can be viewed as black boxes that are connected in different ways. 
Hence the concrete functions can be abstracted from, by replacing them by 
uninterpreted function symbols (i.e., universally quantified function variables). 
It is clear that if the abstracted formula is valid, then the original formula is. 
However, the converse is not true, e.g. x + y = y + x is valid, but its abstract 
version F{x,y) = F{y,x) is not. 

Two methods for solving EUF formulae exist. The first method is based on 
two observations by Ackermann [1]. First, the function variables can be elim- 
inated, essentially by replacing any two subterms of the form F(x) and F(y) 
by new variables fi and / 2 , and adding functionality constraints of the form 
X = y ^ f I = f 2 - The second observation is the finite domain property, which 
states that the resulting formula is satisfiable if, and only if, it is satisfiable over 
a finite domain. Given an upper bound n on this domain, each domain variable 
can be encoded as a vector of [log(n)] bits. In this way the original problem is 
reduced to propositional logic, and can be solved using existing HDD techniques. 

The second method extends the HDD data structure, by allowing equations 
in the nodes of a HDD, instead of boolean variables only. By viewing all atoms as 
distinct variables, the BDD algorithms can still be used to construct a reduced 
ordered BDD. Contrary to the propositional case, a path in these OBDDs can 
be inconsistent, for instance because it violates transitivity constraints. As a 
consequence, all paths of the resulting OBDD have to be checked in order to 
conclude satisfiability. 

Ultimately, we are interested in the symbolic verification of distributed sys- 
tems, using high-level descriptions. This involves reasoning about data types 
(specified algebraically) and control (described by boolean conditions on data). 
Properties of the system are described using large boolean expressions. We want 
to use BDD-techniques in order to prove, or at least simplify, boolean expressions 
containing arbitrary relation and function symbols. In this setting, abstraction 
doesn’t work, as it doesn’t preserve logical equivalence. Without abstraction, 
Ackermann’s function elimination cannot be applied, and the finite domain prop- 
erty doesn’t hold. 

We therefore turn to the second method, allowing equations in the BDD 
nodes. We will give a new definition of “ordered”, such that in ordered BDDs all 
paths will be consistent. The advantage is that on ordered BDDs with equations, 
the satisfiability check can be done in constant time. The contribution of this 
paper is an intermediate step towards the situation where arbitrary relations 
and function symbols in BDDs are allowed. We restrict to the case of equations, 
without function symbols. 

Technical Contribution. In Section 2 we introduce EQ-BDDs, which are BDDs 
whose internal nodes may contain equations between variables. We extend the 
notion of orderedness so that it covers the equality laws for reflexivity, symmetry, 
transitivity and substitution. The main idea is that in a (reduced) ordered EQ- 
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BDD (EQ-OBDD) of the form ITE(a; = y, P, Q), y may not occur in P; this can 
be achieved by substituting occurrences of y by x. By means of term rewriting 
techniques, we show that every EQ-BDD is equivalent to an EQ-OBDD. 

Contrary to OBDDs, EQ-OBDDs are not unique, in the sense that different 
EQ-OBDDs may still be logically equivalent, so equivalence checking on EQ- 
OBDDs cannot be done in constant time. However, we show that in an EQ- 
OBDD, each path from the root to a leaf is consistent. As a corollary, 0 is the 
only contradictory EQ-OBDD, and 1 is the only tautological one. Every other 
EQ-OBDD is satisfiable. So satisfiability and tautology checking on EQ-OBDDs 
can still be done in constant time. 

We present an algorithm for converting propositional formulae with equality 
into an EQ-OBDD in Section 3. Usually a bottom-up algorithm is used, based 
on Bryant’s Apply algorithm [5], which implements the logical connectives on 
OBDDs in polynomial time. In the presence of equalities. Apply would involve 
new substitutions, which possibly cause a reordering of the subformulae. 

Instead, we use a generalization of the top-down method (cf. [12]). The inef- 
ficiency usually attributed to this top-down approach is avoided by using mem- 
oization techniques and maximal sharing. We have made a prototype implemen- 
tation in C, which uses the ATerm library [4] to manipulate terms in maximally 
shared representation. We applied this implementation on the benchmarks used 
in [16,19]. It appears that our ideas yield a feasible procedure, and that the 
performance is comparable to the approach in [16]. 

In EQ-BDDs, interpreted function symbols can be incorporated straightfor- 
wardly. A complete term rewrite system for the algebraic data part can be used 
to reduce the nodes. This always leads to equivalent formulae, but completeness 
of the method is lost. In future work we plan to investigate under which circum- 
stances completeness can be regained. The fact that equality is incorporated 
directly, instead of encoded, can give BDD-techniques a much more prominent 
place in interactive theorem provers like PVS [15]. The fact that the performance 
of our prototype implementation is comparable with existing proposals indicates 
that extendibility does not necessarily come with a loss in efficiency. 

Related work. After Ackermann [1] proved decidability of quantifier free logic 
with equality, Shostak [18] and Nelson and Oppen [14] provided practical algo- 
rithms for the validity check, based on the congruence closure. Those authors 
used a transformation to disjunctive normal forms. In [8] this transformation 
is avoided, by dealing more efficiently with boolean combinations; in particular 
they incorporate case splitting as in the Davis-Putnam procedure. We next con- 
sider papers based on BDDs, that either use the aforementioned method based 
on the finite domain property, or allow arbitrary atoms in the BDD nodes. 

Two recent papers [7,16] refine the method based on finite domains. The 
main contribution of Bryant et al. [7] is to distinguish between function symbols 
that occur in positive equations only (p-symbols) and other function symbols {g- 
symbols). This allows to restrict attention to maximally diverse interpretations, 
in which p-symbols can be interpreted by a fixed value. Also Ackermann’s func- 
tion elimination is improved. Pnueli et al. [16] provide heuristics to obtain lower 
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estimates for the domains. These estimates are also obtained by distinguishing 
between positive and negative occurrences of equations. Both methods rely on 
the finite domain property, whereas our solution avoids this. 

The other method is closer to our approach. Goel et al. [10] avoid bit vectors 
for finite domains, by introducing boolean variables , representing the equation 
Xi = Xj. So their method doesn’t rely on the finite model property. Similarly, 
Mpller et al. [13] allow difference constraints of the form x — y < c in the BDD 
nodes, with c an integer or real constant. In case the underlying domain consists 
of integers or reals, x = y can be encoded as x — y<0Ay — x<0, leading to 
two different nodes. For other underlying domains, such as natural numbers or 
lists, this encoding is not possible, where our approach works for equality in any 
domain. 

Both [10] and [13] first reduce a formula to OBDD, viewing all boolean terms 
as different variables. Although the nodes on a path are all different after this 
operation, a path can still be inconsistent, for instance by violating transitivity. 
Parts of the OBDD are inaccessible, so in general the OBDD is too large. The 
OBDD can be further reduced in order to check satisfiability (this is called path- 
reduced in [13]), but this involves the inspection of all paths, of which there can 
be exponentially many. Indeed, in [10] it is proved that deciding whether an 
OBDD with Cy -variables has a satisfaction that complies with transitivity is 
NP-complete. In our case, the paths in the resulting EQ-OBDD are consistent 
and the test for satisfiability on EQ-OBDDs requires constant time only. 

Another approach, mentioned in the full version of [7], considers the addition 
of transitivity constraints to a formula. Adding all of them usually leads to 
a blow-up of the BDD. A heuristics is presented to prune the set of needed 
transitivity constraints. In our approach transitivity constraints are generated 
on the fly when needed, by performing proper substitutions. 

In the implementation, the fundamental data structure is a maximally shared 
term, partly consisting of boolean connectives, and partly of BDD-nodes. This 
resembles the Binary Expression Diagrams (BEDs) of [2], for the pure boolean 
case. We have not thoroughly studied the relationship between our top-down 
algorithm and their up-one. In [17] it is indicated how such a comparison could be 
made in principle, by using term rewriting theory on strategies. Also a thorough 
comparison with the algorithm in [8] would be interesting. 

2 EQ-BDDs 



We now define a syntax for formulae. First assume disjoint sets P and V. Mem- 
bers of P are called proposition (boolean) variables (typically p, q, . . . ) and V 
contains domain variables (typically x, y, z, . . .). 

Definition 1. Formulae are expressions satisfying the following syntax: 

^ ::= 0|l|P|y = y|^^|^A^| ITE(^, <P, <P) 
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We use a; 2 / as an abbreviation of ^(x = y). In order to avoid confusion, we 
write = for syntactic equality, so x = y means that x and y are the same variable. 

An interpretation consists of a non-empty domain D and interpretation 
functions I : V^D and J : P— >{0, 1}. Then the semantics of <P, denoted by 

G {0,1}, can be defined straightforwardly. In particular, lTFi{x,y, z)j = yj 
if xj = 1, otherwise it equals z/. Equality is interpreted as the identity relation 
by defining {x = y)j as 1 if I{x) = I{y), 0 otherwise. Now D, I, J forms a 
model for (P iS <Pj = 1. <P is satisfiable iff it has a model and it is tautological 
(or: universally valid) iff all interpretations are models. <P and 'P are logically 
equivalent iff they have the same models. A theory is a set of formulae. Given 
a theory S, we write S' 1= ^ iff all models for S are models of ‘P. We rely on 
the following lemma, which is a theorem of Shostak [18], specialized to the case 
without function symbols. 

Lemma 2. Let S be a set of equalities and T a set of inequalities. Then S U T 
is satisfiable if and only if for all x ^ y G T , x = y is not in the refkive, 
symmetric and transitive closure of S. 

We now turn to the study of EQ-BDDs, which can be seen as a subset of for- 
mulae, and consider arbitrary formulae in Section 3. A binary decision diagram 
(BDD [6,12]) is a DAG, whose internal nodes contain guards, and whose leaves 
are labeled 0 (low, false) or 1 (high, true). Each node contains two distinguished 
outgoing edges, called low and high. In ordinary BDDs, the guards solely con- 
sist of proposition variables. The only difference between ordinary BDDs and 
EQ-BDDs is that in the latter, a guard can also consist of equations between 
domain variables. EQ-BDDs can be depicted as follows (the low/false edges are 
dashed) : 




We reason mainly about EQ-BDDs as a restricted subset of formulae, al- 
though in implementations we always treat these formulae as maximally shared 
DAGs. There are constants to represent the nodes 0 or 1. Furthermore, we use 
the if-then-else function ITE(g,ti,t 2 ) where g is a guard, or label of a node in 
the BDD, ti is the high node and t 2 is the low node. Guards can be proposi- 
tion variables in P, or equations of the form x = y where x and y are domain 
variables {V). 

Definition 3. We define the set G of guards and B of EQ-BDDs, 

G::=P I V = V 
B ::=0 I 1 I ITE(G,B,B) 
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The EQ-BDD depicted above can be written as: ITE(a; = y, 1, ITE(?/ = 2 , 1, 0)). 

In order to compute whether an EQ-BDD is tautological or satisfiable, it will 
first be ordered. In an ordered EQ-BDD, the guards on a path may only appear 
in a fixed order. To this end, we impose a total order on P U E (e.g. x)^p>- 
y >- z >- q). This order is extended lexicographically to guards as follows: 

Definition 4 (Order on guards). 

p >- q as given above 
(x = y) >- p if, and only if, x p 
p >- (x = y) if, and only ifp>-x 

{x = y) >- (u = v) if, and only if, either x y u, or x = u and y >- v. 

Given this order, we can now define what we mean by an ordered EQ-BDD. We 
use some elementary terminology from term rewrite systems (TRSs), which can 
for instance be found in [11,3]. In particular, a normal form is a term to which 
no rule can be applied. A system is terminating if no infinite rewrite sequence 
exists. 

Definition 5. An EQ-BDD is ordered if, and only if, it is a normal form 
w.r.t. the following term rewrite system, called Order. An EQ-OBDD is an 
ordered EQ-BDD.: 

1. ITE(G,T,T) ^ T. 

2. ITE(G,ITE(G,Ti,T2),T3) ^ITE(G,Ti,T3). 

3. ITE(G,Ti,ITE(G,T2,T3)) ^ITE(G,Ti,T3). 

I ITE(Gi,ITE(G2,Ti,T2),T3) ^ITE(G2,ITE(Gi,Ti,T3),ITE(Gi,T2,T3)), 
provided G\ >- G 2 - 

5. ITE(Gi,ri,ITE(G2,T2,T3)) ^ITE(G2,ITE(Gi,ri,T2),ITE(Gi,Ti,r3)), 
provided Gi G 2 

6. YIE{x = x,Ti,T 2) ^Ti. 

7. ITE(y = x,Ti,T 2 ) ITE(a; = y,Ti,T 2 ), provided x < y 

8. ITE(a; = y,Ti[y],T 2 ) ITE(a; = y, Ti [a;], T 2 ), if x -< y and y occurs in T\. 

Rules 6-8 capture the properties of equality, viz. reflexivity, symmetry, and sub- 
stitutivity. From these rules, transitivity can be derived, as we demonstrate in 
Figure 1 (we assume x ^ y ^ z). Note that in rule 8 all instances of y in Ti are 
replaced by x. From a term rewriting perspective this is non-standard, because 
it is a non-local rule. 

In a normal form no rewrite rules are applicable. Hence it is easy to see that 
in an ordered EQ-BDD, the guards along a path occur in strictly increasing 
order (otherwise rule 2/3/4/5 would be applicable) and in all guards of the form 
a; = y, it must be the case that x y (otherwise rule 6/7 would be applicable). 
Note that the transformations indicated by the rules are sound, in the sense that 
they yield logically equivalent EQ-BDDs. 

We prove that each EQ-BDD is equivalent to an EQ-OBDD, by showing that 
the TRS Order always terminates. The termination proof uses the powerful 
recursive path ordering (RPO) [9]. For RPO comparisons, we view ITE(y, G, t 2 ) 
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0 10 1 



Fig. 1. Derivation of transitivity of equality in EQ-BDDs 



as g{ti,t2)- RPO needs an ordering on the function symbols. For this we just use 
the total order on guards of Definition 4, extended with 1, 0 g for all guards. 
In this case, RPO specializes to the following relation: 

Definition 6. s = /(si,S 2 ) )^rpo t ijj t = 0 or t = 1 , or t = g{t\,t2) and one 
of the following holds: 

— (I) Si ^rpo t, or S2 ^ rpo 

— (II) f > g and s )^rpo ti and s )^rpo 0; 

— (Ill) f = g and either si )^rpo ti and S2 ^rpo 0; or S2 )^rpo O and si ^rpo ti • 

Here x ^rpo y means: x )^rpo y or x = y. Usually in clause (III) the multiset or 
lexicographic extension is used, but this is not needed for our purposes. From 
the literature, it is well known that l^rpo is an order (in particular the relation 
is transitive), which is well-founded (because on guards is) and monotone, so 
it is useful in proving termination. 

Lemma 7. The rewrite system Order is terminating. 

Proof. It is straightforward to show that rule 1-8 are contained in ;^rpo (for rule 
8 monotonicity of ;^rpo is used). From this termination follows. □ 



Theorem 8. Every EQ-BDD is equivalent to some EQ-OBDD. 

Traditional OBDDs are unique representations of boolean functions, which 
makes them useful for checking equivalence between formulae. For FQ-OBDDs, 
however, this uniqueness property fails, as the following example shows. 

Example 9. Let x < y < z. Consider the FQ-BDDs ITF(a; = y, l,ITF(y = 
z,0, 1)) and ITF(a; = z, l,ITF(y = z,0,l)). These represent the predicates 
y = z ^ X = y and y = z ^ x = z, which are logically equivalent. Both are 
ordered, because no rewrite rule is applicable. But they are not identical. □ 
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Although EQ-OBDDs do not have the uniqueness property, satisfiability or 
tautology checking can still be done in constant time. The rest of this section is 
devoted to the proof of this statement. 

Definition 10. Paths are sequences of 0 ’s and 1 ’s. We let letters a, (3 and 7 
range over paths, and write e for the empty sequence, a.j3 for the concatenation, 
and a Q (3 if a is a prefix of j3. With seq(T) we denote the sequences that 
correspond to a path in EQ-BDD T. For a path a € seq{T) we write T\a for the 
guard at the end of path a, inductively defined by: 

- ITF{G,T,U)U = G. 

- ITE(G, T, C/)ji.Q = T\a (the high branch). 

- ITE(G, T, C/)jo.a = U\a (the low branch). 

We also define the theory up to the node corresponding to path a G seq(T), 
notation Th{T,a), inductively on an EQ-BDD T: 

- Th{T,e) = 0. 

- Th{T, a.l) = Th{T, a) U {T|„}. 

- Th{T, a.O) = Th{T, a) U {-T|„}. 

Finally, a G seq{T) is called consistent iff Th{T,a) is satisfiable. 

Example 11. Let T = ITE(a; = y, l,ITE(y = z,lTFi{x = z,l,0),l)). Then the 
guard at path 0.1 is: T|o.i = x = z. The theory at that point is: T/i(T, 0.1) = 
{x y,y = z} which is satisfiable, so 0.1 is consistent. □ 

The analysis of EQ-OBDDs depends on the following rather syntactic lemma. 
The first states that in EQ-OBDDs y does not occur below the high branch of 
X = y; the second states that y does not occur positively above x = y. 

Lemma 12. Let T be an EQ-OBDD, and a, /3 G seq{T) be consistent paths. 

1. IfT\a = X = y and a.l G P, then T|^ ^ z = y and T|^ ^ y = z. 

2. If T\a = X = y and /3.1 G a, then Tj/j ^ z = y and Tj/j ^ y = z. 

3. If Th(T, a) \= X = z and x z, then for some y, y = z G Th{T, a). 

Proof. (1) If T\f} contains y, rewrite step 8 would be applicable, which contradicts 
orderedness. 

(2) If T\js = z = y rewrite step (8) is applicable, contradicting orderedness. 
Assume T\/} = y = z. Note that x y, as x = y appears in the EQ-OBDD, 
so x = y ^ y = z. Hence, on the path between the nodes labeled with y = z 
and X = y, at least one of the steps (4,5) would be applicable. This contradicts 
orderedness of T. 

(3) Let Th{T,a) 1= x = z. Note that Th{T,a) is satisfiable, but Th{T,a) U 
{x yf z} is not. Hence by two applications of Lemma 2, a; = z is in the reflexive, 
symmetric, transitive closure of the positive equations in Th(T,a). I.e. there 
exist n and Xi {0 < i < n), such that xq = x, Xn = z and for alH (0 < z < n), 
Xi = Xi+i G Th{T,a) or Xi+i = Xi G Th(T,a). Because x ^ z, we have rz > 1. 
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Consider the last equation in this sequence, which is either Xn-i = z G Th{T, a), 
in which case we are done, or it is z = Xn-i G Th(T, a). In this case, Xn-i doesn’t 
occur in any other equation (it cannot occur positively above z = Xn - 1 in T by 
(2), nor can it occur below it by (1)). Hence n = 1 and z = x G Th{T,a). This 
contradicts orderedness of T, because x z. □ 

We can now prove that each guard in an EQ-OBDD is logically independent 
from those occurring above it. 

Lemma 13. Let T be an EQ-OBDD and let a G seq{T) he consistent. Then 

1. Th{T,a) j^T\a and 

2. Th{T,a) 

Proof. If T\a = p {p G P), then by orderedness, p does not occur in Th{T,a), 
so the lemma follows (this is similar to the traditional BDD-case). Now let 
T\a = X = z. Hence, x ^ z. 

(1) Assume Th(fT, a) x = z. By Lemma 12.3, for some y, y = z G Th{T, a). 
Then rewrite step 8 is applicable, which contradicts orderedness. 

(2) Assume Th{T, a) 1= x z. Using Lemma 2 it can be proved that for 

some y and v, Th(T,a) 1= {x = y,v = z} and either y ^ v G Th{T,a) or 
V ^ y G Th(T,a). By Lemma 12.2, no positive equations containing z occur in 
Th(T,a), so z = V. Now if z ^ y G Th{T,a), z = y occurs above a; = z in the 
ordered EQ-BDD T, so z x, contradicting x z. Hence, y ^ z G Th{T,a). 
Note that as T is ordered and y = z occurs above x = z, y x. Now by 
Lemma 12.3, for some w, w = x G Th(T,a). But then rewrite step 8 would be 
applicable, which contradicts orderedness. □ 

Theorem 14. Satisfiability and tautology on EQ-OBDDs can be checked in con- 
stant time. 

Proof. Using Lemma 13 it can be proved that each path to a leaf in an EQ- 
OBDD is consistent, so all leaves are reachable by some interpretation. Hence 
if the EQ-OBDD is a tautology, all leaves must be syntactically equal to 1, and 
by rule (1) of Order, the EQ-OBDD must be the node 1. In a similar way, the 
only contradictory EQ-OBDD is 0. Hence an EQ-OBDD is satisfiable if, and 
only if, it is syntactically different from 0. □ 

3 Algorithm for Checking Tautology and Satisfiability 

We are now interested in constructing EQ-BDDs out of formulae. In traditional 
BDDs, a formula is transformed into an OBDD in a bottom-up fashion. Given 
two ordered BDDs, the logical operations (conjunction, disjunction, etc.) can be 
performed in polynomial time by Bryant’s Apply algorithm. If two EQ-OBDDs 
are combined in this way, new substitutions must be done in both of them, which 
destroy the ordering. We can of course re-order them by using the rewrite system 
Order, but the advantage of having a polynomial Apply has been lost. 
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As an alternative, we use a top-down approach, which in the context of 
OBDDs has for instance been described in [12]. This approach is based on the 
Shannon expansion. For propositional logic, this reads: ^ ITE(p, <?|p, 
where in <P\p all occurrences of p are replaced by 1, and in ^|-,p by 0. Taking 
for p the smallest propositional variable in the ordering, this Shannon expansion 
can be used to create a root node for p, and recursively continuing with two 
subformulae that do not contain p. The number of variables in the formula 
decreases. So, this process terminates. Because at each step the smallest variable 
is taken, the resulting BDD is ordered. 

When p is an equation, say x = y, the Shannon expansion still holds. In the 
formula <P\x=y, we assume that x = y, so we are allowed to substitute y for x. 
This leads to the following variant of the Shannon expansion: 

^ ITE(a; = y,^[x := y],<P[{x = y) := 0]) 

This is recursively applied, with x = y the smallest equation in oriented in 
such a way that x ^ y in the variable order. Due to the substitutions it is not 
guaranteed that the resulting EQ-BDD is ordered. However, we will show that 
repeatedly applying the Shannon expansion does lead to an EQ-OBDD. 



3.1 A Topdown Algorithm 

We now describe the algorithm precisely. We introduce a term rewrite system 
Simplify, which removes superfluous occurrences of 0 and 1 and orients all 
guards. It is clearly terminating and confluent. 

Definition 15. The TRS Simplify consists of the following rules: 



OAT^O ^1 ^0 

TAO^O ^0 ^1 

lAT^T ITE(1,T,{7) ^ T 

TAl^T ITE(0,T,{7) ^ 



X = X ^ 1 

y = X ^ x = y if X <y 



We write T’l for the normal form ofT> obtained by this rewrite system. <P is called 
simplified, = <?],. 

Note that every closed formula rewrites to 0 or 1. Furthermore, on EQ-BDDs 
only the last four rules are applicable. Finally, note that ordered EQ-BDDs are 
simplified. We introduce an auxiliary operation d>\g, where is a formula and s 
a guard or the negation of a guard. We assume that is simplified. 

Definition 16. We define <P\s, where s is p, ^p, x = y or x ^ y as follows: 
If s = p, then <P\s consists of replacing all occurrences of p by 1; in all 
occurrences of p are replaced by 0. In case s = x = y, we obtain by replacing 
all occurrences of y by x, and by replacing x = y by 0 everywhere. 



Example 11. Let T> = x = z A y = z and g = x = z and assume x A y A z. 
Then <I>\g = x = x Ay = x and d>\^g = 0 Ay = z. After simplification, we get: 
<P\gl = x = y and = 0. □ 
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We are now ready to define the basic top-down transformation algorithm: 

Definition 18. Assume that (h he a simplified formula. We define the algorithm 
Topdown on input <P as follows: 

- Topdown(I) = 1 

- Topdown(O) = 0 

- Otherwise, let g he the smallest guard occurring in <P. Then 

T0PD0WN(<?) = ITE(5f, TOPDOWN(^lgl), TOPDOWN(<?|^g|)) 

TTPl Tm = / ^ 

LLU.[g,i,u) - |jTE( 5 ,r,C 7 ) otherwise. 

Note that a closed formula simplifies to 1 or 0, so in the other case it must contain 
a guard. Note that due to substitutions, new equalities can be introduced on the 
fly. We now prove termination and soundness of the algorithm Topdown. With 
we denote the number of guard occurrences in the completely unfolded 
tree of T>. Note that none of the rules from Simplify increases the number of 
guards, so we have the following: 

Lemma 19. For any formula we have fffiT) > 

Lemma 20. Let <P he a simplified formula, and let g he a simplified guard. 

(1) #(^) > #('^ 13 ) (3) ifg occurs in <P, then #{<P) > #{<P\g) 

(2) #(^) > (4) if g occurs in <L>, then #(^) > 

Proof. Simultaneous formula induction on <P. This boils down to checking that 
in Definition 16, each guard is replaced by at most one other guard. □ 

Theorem 21. The algorithm Topdown (^) always terminates. 

Proof. With each recursive call, ffi'P) strictly decreases. □ 

Theorem 22 (soundness). For any formula T>, we have: (P Topdown(^) 

Proof. Induction over the number of calls to T OPDOWN. The induction step uses 
that <P T>1 and g ^ {<F <F\g) and similar for ~^g. □ 

3.2 Iteration of Topdown 

Unfortunately, it is not the case that Topdown(<?) is always ordered, as the 
following example shows. 

Example 23. Assume x ^ y < z. Then Topdown ( a; y A {x = z A y = z)) = 
ITE(a: = y, 0,ITE(a; = 2 ,ITE(a; = y,l,0),0)). See Figure 2, where the formulae 
in square brackets denote the arguments to Topdown, and the dashed nodes 
occur in the call graph, but are suppressed in the resulting EQ-BDD. In the low 
branch, x = y is replaced by 0, but due to substitutions in the recursive call, 
new occurrences of x = y are generated. Note that this is dangerous, as after one 
application of Topdown it still contains unsatisfiable paths, which erroneously 
could lead one to believe that the EQ-BDD represents a satisfiable formula. □ 
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[x^yA(x = zAy = z)\ 




[ITE(rc = y, 0, lTE(x = z, ITE(cc = y, 1, 0), 0))] 
[x=y] 




Fig. 2. Two call-graphs to Topdown. 



Note that in the previous example, an EQ-OBDD is found by another appli- 
cation of Topdown. We propose to apply Topdown repeatedly to a formula 
until a fixed point is reached. In the benchmarks presented in Section 3.3 
at most two iterations of Topdown were required to obtain an EQ-OBDD. In 
the rest of this section we prove that the fixed point can be reached in a finite 
number of steps, and that it is an ordered EQ-BDD. 

Lemma 24. Let be a simplified EQ-BDD and g be a simplified guard. Then 

(1) ^ ^rpo (3) if g occurs in <P, then <P d>\gi 

(2) <P ^rpo d>\^gl d) 9 occurs in <P, then <L> >~rpo ’T\^gl 

Proof. We apply simultaneous induction on the structure of <P. We only present 
two interesting fragments of the proof of case (1) and (3), where = ITE(u = 
v,T,U) and g = x = y. Note that x y and u < v, because and g are 
simplified. 

First consider case (1). By definition <l>\gl = ITE((u = u)|gi, T|g|, [/|gj,)|. 
Observe that (u = f)|gi either equals 1 , x = v (if u = y), u = x (if v = y and 
u ^ x), X = u (if V = y and x ^ u) or u = v. The case v = x does not occur, for 
we would have v<x^y = u^v. 

In the first case <T\g[ = T\g[. Using the induction hypothesis, T ^rpo T\g[. 
By property (I) of recursive path orderings it follows that <l> ;^rpo T and hence 
"T ;^rpo ^Igi- In the next three cases, it is obvious that x = v < u = v and 
u = X ^ u = V and x = u ^ u = v, respectively. Now using a similar argument 
as above, we can show that )^rpo T\gi and )^rpo U\gl. So, by property (II) 
of RPO it follows that )^rpo ^Igi- In the last case, where (u = u)|gj, = u = v, 
we find by the induction hypothesis T ^rpo T\gl and U ^rpo U\gl- By property 
(III) of RPO it follows that <P ^rpo ^Igi- 

Now consider case (3). Note that in case (1) we proved that l^^po d>\gl in 
all but the case where (u = u)|gj, = m = v. So, we only need to consider this 
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case. As g occurs in it must occur in T or in U . As the cases are symmetric, 
we can without loss of generality assume that g occurs in T . Via the induction 
hypothesis it follows that T T\g[. Furthermore, by case (1) U ^rpo U\g[. 
So, by property (III) of RPO we can conclude that 

^ = ITE(u = V, T, U) ITE(u = v, T\gl, U\gl) = ^\gl. □ 

Lemma 25. Let 'P be a simplified EQ-BDD. 

1- P ^rpo Topdown(^). 

2. P is ordered iff P = Topdown(^). 

Proof. Part 1 is proved by induction on ff{P). Note that if P does not con- 
tain a guard then it is equal to 1 or 0, and this theorem is trivial. So, assume 
P contains at least one guard and let g be the smallest guard occurring in 
P. Recall from Lemma 19, 20 that ff{P) > ff{P\gi) and similar for ^g. Then 
Topdown(<?) = ITE(g, ToPDOWN(^lgl), ToPDOWN(^|^gJ,)). By induction hy- 
pothesis and Lemma 24, we have: 

^ ^rpo P\g[ ^rpo TOPDOWN(^lgi) 

'' P ^rpo P\^gi >rpo TOPDOWN(^j^gi) 

First, assume ToPDOWN(<?|gJ,) = ToPDOWN(^|^gJ,). Then Topdown(^) = 
ToPDOWN(<?|gJ,) and we are done by (*). Now assume ToPDOWN(^|g|) ^ 
ToPDOWN(<?|^g|), and assume that P = ITE(/i, T, [/). Then Topdown(^) = 
ITE(g, ToPDOWN(^lgl), ToPDOWN(<?|^g|)). As g is the smallest guard, one of 
the following two cases must hold. 

— g = h. In this case P\g[ = T\g[. Using Lemma 24 and the induction hy- 
pothesis, we can conclude T ^rpo T\gl = P\gl ^rpo ToPDOWN(^|gJ,). 
Similarly, U ^rpo ToPDOWN(<?|^gJ,). By case (III) of RPO it follows that 
P ^rpo TOPDOWN(^). 

— h > g. Using (*) we can immediately apply case (II) of RPO and conclude 
that P >rpo Topdown(^). 

Part 2. Both directions are proved by structural induction on P. =^: We must 
show that if P is ordered, then P = Topdown(<?). The case where P equals 0 
or 1 is trivial. So, consider the case where P = ITE(g, T, U). As P is ordered, g 
must be the smallest guard of P and cannot occur in T or [/. Also, \i g = x = y, 
y does not occur in T. Moreover, T and U are ordered, hence also simplified. So, 
P\gi = T and P\^gi = U. Note that T ^U. 

Topdown(<?) = 

ITE(ff, TOPDOWN(^lgi), TOPDOWN(^l^gi)) = 

ITE( 5 f, Topdown(T), Topdown({7)) = (Induction hypothesis) 

ITE(g,T,C/) = 

P 

■t=: Assume P = Topdown(<?). If ^ is 1 or 0 then it is trivially ordered. So 
assume P = ITE((/, ^i, <? 2 )- Then Topdown(^) = ITE(/i, !Fi, 1 F 2 ), where h is 
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the smallest guard in 'f'l = Topdown(^|/jJ,) and tf '2 = Topdown(<?|^/jJ,). 

If = tf' 2 , then <P = and using Lemma 24.3 and 25.1 we get the following 

contradiction: <P >-,-po <P\hl hrpo 'I'l = 

Hence ^ '? 2 - Then it must be the case that g = h, <Pi = and <p 2 = 
^ 2 - Note that then ^\hl = <Pi\hl- Now, as ^rpo ^i\hl = ^\hl hrpo 
it must be the case that hence <Pi = Topdown(^i). Similarly, 

<p2 = Topdown(<?2)- 

We must show that <P is ordered. By induction hypothesis, <Pi and ^2 are 
ordered, so no rule of the TRS Order is applicable to a strict subterm of (P. We 
now show that no rule (1-8) is applicable to the root of <P'. 

If rule 1 is applicable, then = tf' 2 , which we excluded already. In case of 
rule 2, = ITE(g,T, [/), and we obtain the following contradiction: )^rpo 

T ^rpo T\g[ = <Pi\g[ = “Pi- Rule 3 is excluded similarly. Rule 4 and 5 are not 
applicable because g = h, which is the smallest guard in ‘P. Rule 6 and 7 are not 
applicable because <P is simplified. Finally, if rule 8 were applicable, g = x = y 
and y occurs in <Pi. Then, using monotonicity of l^rpo, we have the following 
contradiction: (Pi (Pi[y := a;] = 'Pi\g ^rpo ^i\gi = ^i- The last inequality 
uses the fact that the applicable rules of Simplify are contained in )^rpo- □ 

Theorem 26. Let <P he a simplified formula. Iterated application o/Topdown 
to <P leads in a finite number of steps to an EQ-OBDD equivalent to <P. 

Proof. After one application of Topdown, <P is transformed into a simplified 
EQ-BDD. So, iterated application of Topdown leads to a sequence <P, <Pi,L> 2 , . . . 
of which each <Pi {i > 1) is a simplified EQ-BDD. By Lemma 25.1 the sequence 
<Pi,<p 2 , - . ■ is decreasing in a well-founded way. Hence, at a certain point in the 
sequence we find that <Pi = ^i+i. By Lemma 25.2 <Pi is the required EQ-OBDD. 
Note that by Lemma 25.2 <Pi is the first ordered EQ-BDD in the sequence. □ 

We conclude with the complete algorithm to transform an arbitrary formula <P 
to EQ-OBDD, which is just a repeated application of Topdown until a fixed 
point is reached: 

EQ-OBDD(^) = f ixedpoint(TOPDOWN)(^J,) 

We stress that in the benchmarks we never needed more than 2 iterations. 
This is not generally the case: 

Example 21. Given a<h<c<d<e<f^ the following EQ-BDD needs 
4 iterations: ITE(a = /, ITE(a = e,d = e,c = d),b = c). The intermediate EQ- 
BDDs have size 9, 13, 23 and 21, respectively. This can be checked with our 
implementation. □ 

3.3 Implementation and Benchmarks 

In order to study the performance of Topdown, we made an implementation 
and used it to try the benchmarks reported in [16,19]. The authors report to 
have comparable performance as in [10]. Unfortunately, we could not obtain the 
benchmarks used in [7]. We first describe the implementation, including some 
variable orderings we used and then present the results. 




Equational Binary Decision Diagrams 175 



Prototype implementation. We have made a prototype implementation of the 
Topdown algorithm. As programming language we used C, including the ATerm- 
library [4]. The basic data types in this library are ATerms and ATermTables. 
ATerms are terms, which are internally represented as maximally shared DAGs. 
As a consequence, syntactical equality of terms can be tested in constant time. 
The basic operations are term formation and decomposition, which are also per- 
formed in constant time. ATermTables implement hash tables of dynamic size, 
with the usual operations. The ATerm-library also provides memory manage- 
ment functionality, by automatically garbage collecting unreferenced terms. By 
representing formulae and BDDs as ATerms, we are sure that they are always a 
maximally shared DAG. 

Gare has to be taken in order to avoid that during some computation, shared 
subterms are processed more than once. Therefore all recursive procedures, like 
“find the smallest variable”, “simplify” and (P\s are implemented using a hash 
table to implement memoization. In this way, syntactically equal terms are pro- 
cessed only once, and the time complexity for computing these functions is 
linear in the number of nodes in the DAG, which is the number of different 
subterms in the formulae. Also the ToPDOWN-function itself uses a hash ta- 
ble for memoization. This contributes to its efficiency: Gonsider a formula 'P 
which is symmetric in p and q (for instance: {p A q) V <P, or {p A <P) V {q A <P)). 
Then Thanks to memoization, only one of them will 

actually be computed. Still, the Topdown function has worst case exponential 
behavior, which is unavoidable, because in the propositional case (i.e. excluding 
equations) it builds an OBDD from a propositional formula in one iteration. 
Due to memoization of Topdown’s arguments, the memory demands are rather 
high. 

Results. Benchmark formulae can be obtained from [19] and most of them could 
be solved with the methods described in [16]. Each formula is known to be a 
tautology. They originate from compiler optimization; each formula expresses 
that the source and target code of a compilation step are equivalent. We used 
the versions where Ackermann’s function elimination has been applied [1], but 
domain minimization [16] has not yet been applied. In fact, our method does 
not rely on the finiteness of domains at all. The benchmark formulae extend the 
formulae of Definition 1 in various ways, but these extensions could be dealt 
with easily. 

It is well known that the variable ordering has an important effect on the 
performance. We therefore tried a number of orderings: With ‘t’ we denote the 
textual order of the variables as given in [19]. With ‘r’ we denote the reverse of 
this textual order. Finally, ‘bt’ (‘br’) denotes the textual (reverse) order, except 
that boolean variables always precede domain variables. 

We can now present the results. They can be found in Figure 3. The first 
column contains the number of the files, as given in [19]. The next three columns 
give an indication of the size of the formula: ffh is the number of boolean vari- 
ables, ffd the number of domain variables, and ffn is the number of nodes in a 
maximally shared representation of the formula. The fifth column contains the 
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Nr. file 


#d 


#b 


#n 


[16,19] 


t 


bt 


r 


br 


022 


59 


49 


993 


:0.16 


:13 


:16 


17:01 


7:50 


025 


45 


55 


285 


:0.2 


:0.3 


:0.3 


:0.1 


:0.1 


027 


21 


60 


569 


:1.7 


12:37 


10:55 


— 


— 


032 


16 


48 


525 


:0.1 


:3.2 


:3.2 


5:02 


4:12 


037 


12 


26 


942 


:0.15 


2:17 


:2.3 


7:28 


:12 


038 


6 


14 


844 


:0.18 


:17 


:0.4 


:6.8 


:0.3 


043 


158 


72 


1717 


— 


— 


— 


— 


— 


044 


39 


14 


383 


:0.1 


:3.7 


:2.0 


0:28 


:1.6 


046 


68 


35 


667 


:0.13 


— 


— 


— 


— 


049 


163 


75 


1717 


— 


— 


— 


:0.3 


:0.1 



Fig. 3. Timing results for the benchmarks 



times reported in [19], obtained by the method of [16]. The other columns show 
our results, using various variable orderings. Each entry is in minutes, i.e. a : b.c 
means a minutes, and b.c seconds. With — we denote that a particular instance 
could not be solved, due to lack of memory. The times are including the time to 
start the executable, I/O and transforming the benchmarks to the ATerm format. 
We used an IRIX machine with 300 MHz and where the processes could use up 
to 1.5 GB internal memory. 

The table shows that we can solve 8 out of 10 formulae. In this respect our 
method is comparable to [16]. The exact times are not relevant, because we 
have made a prototype implementation, without incorporating all well-known 
optimizations applied in BDD-packages, whereas [19] used an existing BDD- 
package. 

It is also clear that the variable ordering is rather important. In most cases, it 
is a good idea to split on boolean variables first, before splitting on equalities. The 
reason probably is that splitting on an equality introduces new guards, which 
can be rather costly. We also counted the number of iterations of Topdown 
that were needed in order to reach an EQ-OBDD. Remarkably, the maximum 
number of iterations was 2 and nearly all time was spent in the first iteration. 
Most benchmarks even reached a fixed point in the first iteration. 

We conclude that the algorithm Topdown is feasible. This is quite remark- 
able, as the top-down method is usually regarded as inefficient. We attribute this 
to the use of maximal sharing and memoization. In the next standard example, 
it is even more effective than using Apply. 

Example 28. Consider the formula X = p A {(P A ~^p) . In case p is the smallest 
variable, Topdown terminates in one call, because X\pl = 0 and X\^pl = 0 
and a contradiction is detected. □ 

The usual Apply algorithm will completely build the tree for <P, potentially 
resulting in an exponential blow-up. Many heuristics for providing a variable 
ordering will make p minimal, so this is a realistic scenario. In [2] an adaptation 
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to the original Apply algorithm is described, which also solves this formula in 
constant time. 

4 Future Work 

Our motivation originates from investigations in the computer-aided analysis of 
distributed systems and protocols, where data is usually specified by algebraic 
data types, and automated reasoning is generally based on term rewriting. For 
this reason, function symbols cannot be eliminated, and the domains are gen- 
erally structured and often infinite. For instance, as soon as we introduce the 
successor function on natural numbers, all interesting models are infinite. 

Our approach forms an extendible basis. We may allow function symbols 
in EQ-BDDs. In the algorithm, the rewrite rules of the data domain can be 
added to the TRS Simplify. In this way, one is able to prove for instance that 
X < y\J X ^ y \s a, tautology. Obviously this is not true when the interpretation of 
functions is free (e.g. interpret < as <). However, consider the following definition 
of < in terms of rewrite rules, where S denotes the successor function: 

a;<0— >0 X < S{y) ^ X < y x<y^x<y\/x = y 

An EQ-OBDD proof with auxiliary rewrite rules oix<y\/x^y looks as 
follows: 




Also, x <Q /\ y = Q ^ x = y can be proved in this way. Note that this doesn’t 
hold on the integers or reals, so the logic of difference constraints [13] cannot be 
used here. 

As future work we plan to investigate under which conditions such extensions 
are complete. For instance, in the example above we at least additionally need 
the following rules: 

0 = S{x) 0 S{x) = S{y) x = y x = S"'{x) 0. 

We also plan to improve and extend our algorithm in the presence of function 
symbols. One of the main issues here is how to extend the ordering on the new 
nodes. 

Acknowledgments. We like to thank Ofer Shtrichman for making his benchmarks 
publicly available and discussing them. We are also indebted to the anonymous 
referees for improving some of the proofs. 
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Abstract. This paper presents a tool for proving safety properties of 
Lustre programs in PVS, based on continuous induction. The tool applies 
off-line a repeated induction strategy and generates proof obligations 
left to PVS. We show on examples how it avoids some drawbacks of 
co-induction which needs to consider “absent elements” in the case of 
clocked streams. 



1 Introduction 

Co-induction has been advocated as providing a good theoretical framework for 
proving stream programs and several experiments and tools [5,16,13,9,14,7,2] 
have been recently designed in this setting, mostly based on Coq [6] and PVS [15]. 
Two main proof principles have been used, the “Bisimulation Proof Principle” 
originated from Park’s work and the “Infinite Proof Principle” due to Coquand. 
However, when we tried to apply these principles to the proof of Lustre [8] 
programs, we found that they were less efficient than the one which arises from 
the old, semantic based, Kahn’s theory of data-flow [11]. 

This observation mainly arises when considering multi-clock systems where 
sub-streams are extracted from streams by some filtering procedure. A way of 
dealing with such sub-streams within the co-inductive framework consists of 
introducing an “absent” element which takes the place of erased elements in 
the filtering process.^ The point is that, as we show in section 5, bisimulation 
proofs rely on the observations (destructors of the co-inductive type) we can 
draw from a running process, and an “absent” element is sometimes a quite poor 
observation of what is actually taking place in the process. This may oblige us to 
add the observation of some internal state values or, equivalently, to strengthen 
the property we want to prove by extending it to these state values. As for 
infinite proofs, “absent” elements require more complex case analysis. 

An alternate solution arises from the remark that stream programming, as 
found in Lustre, describes programs as functions from streams to streams. The 

* This work has been partially supported by Esprit project Syrf and Inria action 
Presysa. 

^ This absent element is the analog of “silent” elements introduced by Milner in 
synchronizing trees [12]. 
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co-inductive point of view comes from the fact that the co-domain type of our 
functions (streams) is a co-inductive type. Now another possible proof principle 
can be derived from the recursive nature of the domain type (also streams). 
Induction allows us to prove properties of functions over inductive types, but 
these, in general only yield finite objects. This is where continuity is helpful, 
by bridging the gap between such finite objects and the infinite ones (streams) 
we deal with. When taking this point of view, we shall see that we don’t any- 
more need “absent” elements. Thus every observation we draw from a process is 
meaningful and proofs get simpler and shorter. 

In order to exemplify this observation, we shall first say some words of stream 
programming based on Lustre (section 2). Section 3 shows how to prove safety 
properties of Lustre programs by continuous induction and section 4 briefly de- 
scribes the tool we designed for automatically generating PVS proof obligations 
from Lustre programs and safety properties. In section 5 we provide a tentative 
comparison with co-induction and finally discuss related works. 

2 Lustre and Stream Programming 

2.1 Kahn Semantic 

The main idea of Kahn network semantic is to consider : 

— The complete partial order (CPO) {D°°,<,e) where D°° = D* + D‘^ is 
the set of finite and infinite sequences of some set D, with respect to the 
prefix order of sequences x < y ^ 3z : y = x@z and the empty sequence 
X = €@x = x@e, where @ is the concatenation of sequences. 

Completeness, here, amounts to the fact that every chain C = {xq < xi . . . < 
Xn ■ ■ ■} has a least upper bound lub C. 

— The CPO of functions over D°° tuples and higher order extensions. 

~ Least fixed points of continuous functions, where continuity refers to lub 
preservation. In case of higher order functions, these fixed points are known 
to be continuous functions. 

In this setting, continuity implies monotony which, in turn, can be interpreted 
as causality: if a; is a prefix of y, then (/ x) is a prefix of (/ y). 

2.2 Lustre Primitives 

Table 1 displays the inductive definitions of Lustre primitives. In this table: 

— . is the usual sequence constructor; 

— any constant is lifted to infinite sequences and similarly, every operator is 
lifted to operate point-wise on sequences; 

— ->pre is a unit delay; 

— when is a filtering operator; 

— current is a converse hold operator. 

It is easy to show that every primitive is continuous and every composition of 
primitives is continuous. 
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xs + t 


= € 


t + ys 


= € 


x.xs + y.ys 


= ix + y).{xs + ys) 


t ->pre ys 


= e 


x.xs ->pre e 


— x.t 


x.xs ->pre y.ys 


= x.{y.ys ->pre ys) 


t when cs 


= € 


xs when e 


= e 


x.xs when true.cs 


= x.{xs when cs) 


x.xs when false.cs 


= xs when cs 


current v e xs 


= € 


current v false.cs xs 


= ii. (current v cs xs) 


current v true.cs e 


= € 


current v true.cs x.xs 


= X. (current x cs xs) 



Table 1. Inductive definition of Lustre primitives 



2.3 Lustre Programs 

Then Lustre programs are sets of (mutually recursive) definitions built on these 
primitives. For instance, fib defines the sequence of Fibonacci numbers: 

fib = 1 -> preCfib +(0 -> pre fib)); 

Functions (nodes) allow definitions to be encapsulated: 

node sumCdelta, x : real) returns (y : real) ; 
let 

y = x*delta + (0 -> pre y) ; 

tel 

in such a way that z = sum(2 . 0*delta, x when half ) represents an integrator 
operating half rate. This functional style makes Lustre a useful language for 
programming control and hardware systems. 

2.4 Synchrony 

Though not essential here, let us say a word on synchrony: it consists of rejecting, 
thank to some statics analysis referred to as “clock calculus”, expressions like 
X + (x when half) whose execution requires an unbounded memory. 

3 Induction and Continuity 

The idea is to look at safety properties {All modality) as inductively defined 
predicates over input sequences. Yet, infinite sequences are not an algebraic 
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type and cannot be considered as an initial algebra but, as we already noticed, 
they can be considered as lubs of finite sequence chains. If our predicates are 
continuous and if we prove that a property holds for every finite input sequence, 
it will hold by continuity on the lubs. 

Table 2 displays the proof rules for such safety properties: 

— the rules assume x, xs and xss are not free in H\ 

— (IND) is the ordinary induction on lists; 

— (REC) is the usual fix-point rule, which also extends by continuity. 




Table 2. Proof rules 



Example 1: We want to prove: Vxs, cs : All xs ^ All (current true cs xs) 

First step: we can choose here to induct on cs. This gives three sub-goals: 

r, which holds by expanding current, and 

All (current true e xs) 

All xs 

Wxs : All xs All (current true cs xs) 

— — — — , which holds by expanding current 

All (current true false. cs xs) 

and using the induction hypothesis, and 
All xs 

\/xs : All xs ^ All (current true cs xs) 

7 , which yields, by expanding current 

All (current true true.cs xs) 

and remarking that the xs = e case holds directly: 

All x.xs 

\/xs : All xs ^ All (current true cs xs) 

All (current x cs xs) 

General step: at this point, we have got rid of initialization and deal with the 
general case which can be restated as 
Vx, xs : All x.xs All (current x cs xs) 

By induction on cs, we get three new goals; the e and false. cs work as 
previously, and the last one leads to: 
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All x.xs 

\/x, xs : All x.xs All (current x cs a;s) 

- 7-7 r . The xs = e case holds directly and 

All (current x true.cs xs) 

the xs = x' .X s' case holds by instantiating the induction hypothesis. 

We can see here that we have exactly examined four cases at each step, the 
initial step and the general case step and this is clearly the minimum number 
of cases needed to prove the property. Furthermore, the cases involving e are 
obvious and yield direct proofs. 

4 A Proof Obligation Generator for Lustre Programs 

Initially, we defined Kahn semantic in PVS[15], but trying to directly use this 
theory through PVS strategies is rather inefficient.^ So we decided to unfold the 
strategies off-line and to only leave to PVS the remaining proof obligations. 

For instance a proof goal like will generate the proof obligation 

All x.xs 

H H 

— left to PVS, while the remaining goal — will be analyzed off-line. Fur- 

X , ^ All xs 

thermore e-like goals will be in general discharged within the tool and do not 
generate proof obligation. 

A heuristic strategy has been tried, which seems to provide sensible results; 
it consists of: 

— First, apply the continuity rule until there is no more recursive definitions. 
~ Then, eliminate initial values. This corresponds to the first step of example 

1 . 

— Finally, deal with the general case. 

It should be noted that the initial value elimination step may require un- 
folding several times the property, depending on the number of initial values to 
eliminate, until the induction hypothesis can be used. This allows us to tune 
the number of unfoldings to the needs of the property to be proved. This is, for 
instance, the case when trying to prove the property: 

Example 2 All{fib > 0) 

Here, our initial value elimination strategy provides us with the right number 
of unfoldings needed to prove the property. 

A translation tool, written in Caml, performs the unfolding of the strategy, 
starting from a Lustre program and a given All property, and generates PVS 
proof obligations. Table 3 displays the resulting PVS proof obligations of example 
2. It is easy to see from this example that the proof obligations are obvious and 
can be discharged with a straightforward PVS strategy. 

On the contrary, the strategy fails to provide proof obligations when dealing 
with non synchronous problems like: 

^ Just think of writing a strategy for automatically obtaining the unfolding of example 

1 . 
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example2_ex2_node : THEORY 
BEGIN 

IMPORTING streams 
fib : VAR stream [int] 

ex2_propl_0 : THEOREM 
( (hd(fib) >= 0) 

) => (1 >= 0 ) 

ex2_propl_00 : THEOREM 
( (hd(tl(fib)) >= 0) 

AND (hd(fib) >= 0) 

) => ((hd(fib) + 0) >= 0) 

ex2_propl_000 : THEOREM 
( (hd(tl(tl(fib))) >= 0) 

AND (hd(tl(fib)) >= 0) 

AND (hd(fib) >= 0) 

) => ((hd(tl(fib)) + hd(fib) ) >= 0) 
END exampIe2_ex2_node 



Table 3. PVS proof obligations for example 2 
Example 3: All{x > 0) All{x + (x when c) > 0) 

The problem, here, is that the induction hypotheses never allow the remaining 
goals to be discharged because there is always an extra tl which appears in the 
goal and not in the hypothesis. In this sense, our strategy looks very much like 
Wadler’s deforestation [19] in the particular context of proof generation. 

5 Co-induction 

5.1 Processes and Co-inductive Definitions 

Processes (co-algebras), (X,D,f,g) are defined by: 

— a set of statesX and a set of values D-, 

— a transition function / from X to X; 

— an output function g from X to D; 

Then, it can be shown [10] that (D“, D, hd, tl) is a final co-algebra in the sense 
that there exists an unique (behavior) function h from X to such that, for 
all X in X, hd{h x) = g x and tl{h x) = h{f x) where hd,tl are the usual 
sequence destructors. Equivalently, h x = {g x).h{f x) (Here the uniqueness of 
h comes simply from the fact that, for any x and n, h x n = g{f"^ a;)). 

Such a definition is said co-inductive. Uniqueness gives sense to recursively 
defined functions, such as rec h : A x : {g x).h{f x) provided their co-domains 
lie within some final co-algebra. 
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Bisimulation Proofs are based on the observation of the property truth value, 
i.e., D = {false, true}. Then an always true property is such that the observation 
yields the sequence true‘s . If we want to prove that the property holds for some xq 
in X, we must find some property P such that P{x) implies g{x) and P{f{x)) 
and then prove that P{xq) holds. A “natural” choice for P can be to choose 
g~^{true). 



Infinite Proofs correspond to the cofix tactic in Coq and avoid the drawback 
of having to choose a property. They are based on quite the same rules as in- 
duction rules of table 2 but for the e cases which can be discarded. In this sense, 
co-induction can be seen as simpler than induction. 

5.2 The Clocked Stream Case 

The idea here, like in [4,14], is to replace filtered values by an absent value a. 
Table 4 displays the expression of Lustre primitives in this setting.^ 



a.xs + a.ys 


= a.(xs + y.s) 


x.xs + a.ys 


= a. (x.xs + ys) 


a.xs + y.ys 


= a.(xs + y.ys) 


x.xs + y.ys 


= (x + y).(xs + ys) 


a.xs ->pre ys 


= a.(xs ->pre ys) 


x.xs ->pre a.ys 


= x.(a.ys ->pre ys) 


x.xs ->pre y.ys 


= x.(y.ys ->pre ys) 


a.xs when a.cs 


= a.(xs when cs) 


a.xs when c.cs 


= a.(xs when c.cs) 


x.xs when a.cs 


= a. (x.xs when cs) 


x.xs when true.cs 


= x.(xs when cs) 


x.xs when false.cs 


= a.(xs when cs) 


current v a.cs a.xs 


= a. (current v cs xs) 


current v a.cs x.xs 


= a. (current v cs x.xs) 


current v false.cs xs 


= u. (current v cs xs) 


current v true.cs a.xs 


= a. (current v true.cs xs) 


current v true.cs x.xs 


= r. (current x cs xs) 



Table 4. Co-inductive definition of Lustre primitives 



Observing properties of such processes leads now to consider D as a, three 
valued set:{a, false, true}, and we have to decide what is a good observation; 

® This table could have been made simpler by merging cases. However the given ex- 
pressions easily distinguish synchronous and non synchronous cases. 
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we can decide to say that a property is always true if the observation belongs 
to {a,true}^. This consists of saying that a property holds as long as its truth 
value is not false. Then the previous proof rules remain valid. 



Example 1: We want to prove that the function current true c a; is always true 
as soon as x is always true, i.e. belongs to {a,true}'^ . 

Here, the bisimulation rule does not work: 

— the initial proof is obvious by case analysis because, initially, v and x evaluate 
to true] 

— but the induction step does not hold; the observation of the absent value a 
does not tell us anything on the stored value v that can be observed at the 
next step and v can be false. Notice that cases 2 and 4 could have been 
eliminated by some clock analysis (they are not synchronous), but the first 
one is synchronous and cannot be eliminated. 

A solution in this case consists of strengthening the property by adding an 
observation of the stored internal state value v. However, intuitively, we can 
see that this would not have been necessary if we had used the definitions of 
section 2 . 2 : here, the observed value always tells us which is the stored value. 

Moreover, we can see that the definitions of table 1 are always simpler than 
the ones of table 4. Thus, infinite proofs are more complex than inductive ones. 



5.3 Comparison with Induction 

We can show that continuous induction is as powerful a proof principle as co- 
induction. 

Theorem 1. Continuous induction generates the same proof obligations as bisim- 
ulation. 

We have seen that the bisimulation proof of 

All (rec h : A X : (g x).h{f x))xq 

( Q X) 

yields the proof obligations r and 7 — — — rr- . By coding this property as: 

[ 9 x 0 ) (9[fx)) 

All (map( 5 ) (rec y : XQ.{ma.p{f) y))) 

and by applying the unfolding strategy of the paper, we easily obtain the same 
proof obligations. 

The comparison with infinite proofs is even easier as both are base on almost 
the same rules. 
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6 Related Works 

Continuous induction has been used for long in proving programs [17]. Yet, it 
seems that the first attempt to use it for proving properties on streams goes 
back to Ashroft and Wadge [3], and our work can be seen as simply an update 
of this one. However, it is devoted to the Lucid context which was somewhat 
different from the Kahn-Lustre one. Furthermore the proof of when and current 
based programs was not addressed while it constitutes a major motivation here. 
More recently, Pavlovic [18] describes an approach which seems quite similar 
to ours, but much more generally presented in a categorical framework that 
makes it quite difficult to understand. Furthermore it does not seem to draw the 
practical consequences we have drawn from the comparison between continuous 
induction and co-induction. 



7 Conclusion 

The problem of dealing with clocks when proving stream programs leads either 
to consider “absent” elements and apply usual co-induction or to consider both 
finite and infinite sequences.^ In the later case, continuous induction provides us 
with simple and efficient proof schemes and seems a better choice. 

Yet, formalizing it within the PVS framework appeared quite inefficient. This 
is why we chose to run these strategies off-line, in the translation tool itself, and 
to only generate PVS proof obligations, that is to say, what remains to prove, 
once the unfolding of inference rules has been performed. 

Then, this tool appears very efficient: it allows us to handle multiple clocks 
in a functional style, it is fast and it often finds the right number of unfoldings 
which allows a property to be proved. 

Furthermore, the framework would offer the possibility of dealing with asyn- 
chronous and possibly unbounded Kahn networks, and thus the possibility to 
model and prove mixed synchronous-asynchronous designs. However, in this case, 
proofs are more difficult to obtain because the generalization step may not con- 
verge. Then, this generalization should be provided manually, in the same way as 
when some invariant strengthening is needed. But this has still to be developed. 
Several other points remain to be studied: 

— Experiments have only dealt with safety properties. Liveness ones have to 
be addressed. 

— Only flat programs have been studied. This is likely to only apply to small 
programs and raises the question of addressing large, structured ones. 

— One way of answering this last question could be to study some refinement- 
based design method a la B[l], adapted to the synchronous programming 
context. In this sense, a proof obligation generator like the one described 
here could be a good starting point. 

^ Co-induction on finite and infinite sequences also requires absent elements. 
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Abstract. We present the rational constrnction of a generic domain 
for structural information analysis of CLP languages called Pattern(I>**), 
where the parameter O** is an abstract domain satisfying certain prop- 
erties. Our domain builds on the parameterized domain for the analysis 
of logic programs Pat(5R), which is due to Cortesi et al. However, the 
formalization of our CLP abstract domain is independent from specific 
implementation techniques: Pat(5R) (suitably extended in order to deal 
with CLP systems omitting the occnr-check) is one of the possible im- 
plementations. Reasoning at a higher level of abstraction we are able 
to appeal to familiar notions of nnification theory. This higher level of 
abstraction also gives considerable more latitude for the implementer. In- 
deed, as demonstrated by the results summarized here, an analyzer that 
incorporates structural information analysis based on our approach can 
be highly competitive both from the precision and, contrary to popular 
belief, from the efficiency point of view. 



1 Introduction 

Most interesting CLP languages [16] offer a constraint domain that is an amal- 
gamation of a domain of syntactic trees — like the classical domain of finite 
trees (also called the Herbrand domain) or the domain of rational trees [9] — 
with a set of “non-syntactic” domains, like finite domains, the domain of rational 
numbers and so forth. The inclusion of uninterpreted functors is essential for pre- 
serving Prolog programming techniques. Moreover, the availability of syntactic 
constraints greatly contributes to the expressive power of the overall language. 
When syntactic structures can be used to build aggregates of interpreted terms 
one can express, for instance, “records” or “unbounded containers” of numerical 
quantities. 

From the experience gained with the first prototype version of the China 
data-flow analyzer [1] it was clear that, in order to attain a significant precision 

* This work has been partly supported by MURST project “Certificazione automatica 
di programmi mediante interpretazione astratta.” Some of this work was done during 
a visit of the first and third authors to Leeds, funded by EPSRC under grant M05645. 



M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 189—208, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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in the analysis of numerical constraints in CLP languages, one must keep at least 
part of the uninterpreted terms in concrete form. Note that almost any analysis 
is more precise when this kind of structural information is retained to some ex- 
tent: in the case mentioned here the precision loss was just particularly acute. 
Of course, structural information is very valuable in itself. When exploited for 
optimized compilation it allows for enhanced clause indexing and simplified uni- 
fication. Moreover, several program verification techniques are highly dependent 
on this kind of information. 

Cortesi et al. [10,11], after the work of Musumbu [21], put forward a very 
nice proposal for dealing with structural information in the analysis of logic pro- 
grams. Using their terminology, they defined a generic abstract domain Pat (3?) 
that automatically upgrades a domain 3? (which must support a certain set of 
elementary operations) with structural information. 

As far as the overall approach is concerned, we extend the work described 
in [11] by allowing for the analysis of any CLP language [16]. Most impor- 
tantly, we do not assume that the analyzed language performs the occur-check 
in the unification procedure. This is an important contribution, since the vast 
majority of real (i.e., implemented) CLP languages (in particular, almost all 
Prolog systems) do omit the occur-check, either as a mere efficiency measure 
or because they are based upon a theory of extended rational trees [9]. We de- 
scribe a generic construction for structural analysis of CLP languages. Given an 
abstract domain satisfying a small set of very reasonable and weak proper- 
ties, the structural abstract domain Pattern(I?t*) is obtained automatically by 
means of this construction. In contrast to [11], where the authors define a spe- 
cific implementation of the generic structural domain (e.g., of the representation 
of term-tuples), the formalization of Pattern(-) is implementation-independent: 
Pat (3?) (suitably extended in order to deal with CLP languages and with the 
occur-check problem) is a possible base for the implementation. Reasoning at a 
higher level of abstraction we are able to appeal to familiar notions of unifica- 
tion theory [18]. One advantage is that we can identify an important parameter 
(a common anti-instance function) that gives some control over the precision 
and computational cost of the resulting structural domain. In addition, we be- 
lieve our implementation-independent treatment can be more easily adapted to 
different analysis frameworks/systems. 

One of the merits of Pat (3?) is to define a generic implementation that works 
on any domain 3? that provides a certain set of elementary, fine-grained oper- 
ations. Because of the simplicity of these operations it is particularly easy to 
extend an existing domain in order to accommodate them. However, this sim- 
plicity has a high cost in terms of efficiency: the execution of many isolated small 
operations over the underlying domain is much more expensive than performing 
few macro-operations where global effects can be taken into account. The opera- 
tions that the underlying domain must provide are thus more complicated in our 
approach. However, this extra complication and the higher level of abstraction 
give considerable more latitude for the implementer. Indeed, as demonstrated 
by the results summarized here, an analyzer that incorporates structural infor- 
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mation analysis based on our approach can be highly competitive both from the 
precision and the efficiency point of view. One of the contributions of this paper 
is that it disproves the common belief (now reinforced by [8]) whereby abstract 
domains enhanced with structural information are inherently inefficient. 

The paper is structured as follows: Section 2 introduces some basic concepts 
and the notation that will be used in the paper; Section 3 presents the main ideas 
behind the tracking of explicit structural information for the analysis of CLP 
languages; Section 4 introduces the T>^ and Pattern(I?l*) domains and explains 
how an abstract semantics based on V'^ can systematically be upgraded to one 
on Pattern(I?t*); Section 5 summarizes the extensive experimental evaluation 
that has been conducted to validate the ideas presented in this paper; Section 6 
presents a brief discussion of related work and, finally, Section 7 concludes with 
some final remarks. 



2 Preliminaries 

Let {7 be a set. The cardinality of U is denoted by \U\. We will denote by 
[/" the set of n-tuples of elements drawn from U, whereas U* denotes UneN 
Elements of U* will be referred to as tuples or as sequences. The empty sequence, 
i.e., the only element of [ 7 °, is denoted by e. Throughout the paper all variables 
denoting sequences will be written with a “bar accent” like in s. For s € U* , the 
length of s will be denoted by |s|. The concatenation of the sequences si, S2 € U* 
is denoted by si :: S2- For each s G U* and each set X G pf{U), the sequence s\X 
is obtained by removing from s all the elements that appear in X . The projection 
mappings tt^ : [/" ^ U are defined, for i = 1 , . . . , n, hy 7Tj((ei, . . . , e„)) = Cj. We 
will also use the liftings tt^: p{U^) p{U) given by TTi{S) = { TTi{s) | s G S' }. 
If a sequence s is such that |s| > i, we let prefixj(s) denote the sequence of the 
first i elements of s. 

Let Vars denote a denumerable and totally ordered set of variable symbols. 
We assume that Vars contains (among others) two infinite, disjoint subsets: z 
and z'. Since Vars is totally ordered, z and z' are as well. Thus we assume 
z = (Zi, Z2, Z3, . . . and z' = (Z(, Z2, Z3, — If W C Vars we will denote by Tw 
the set of terms with variables in W. For any term or a tuple of terms t we will 
denote the set of variables occurring in t by vars{t). We will also denote by vseq{t) 
the sequence of first occurrences of variables that are found on a depth- first, left- 
to-right traversal of t. For instance, vseq[[f{g{X),Y),h{X))) = (X,Y). 

We implement the “renaming apart” mechanism by making use of two strong 
normal forms for tuples of terms. Specifically, the set of n-tuples in z-form is 
given by T” = {t G | vseq{i) = (Zi, Z2, . . . , }. The set of 

all the tuples in z-form is denoted by T*. The definitions for T^, and T*, are 
obtained in a similar way, by replacing z with z'. There is a useful device for 
toggling between z- and z'-forms. Let t G U T^, and |uars(t)| = to. Then 
t' = t[Z(/Zi, . . . , if t G T”, andt[Zi/Z(, . . . , Z^jZ'^, if t G T”,. Notice 

that t!' = (t')' = t. 
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When V G Pars"* and t G we use \i/V] as a shorthand for the sub- 

stitution [7Ti(t )/7ri(y), . . . ,TTTa{t)/T^m{V)\, if TO > 0, and to denote the empty 
substitution if to = 0. If vars{t) r\V = 0, then \t/V] is idempotent. Suppose 
that s = (si, . . . , Sm) G and i = (ti, . . . , t™) G then, s = i denotes 

(si = ti, . . . , Sm = tm)- It is also useful to sometimes regard a substitution \t/V] 
as the finite set of equations V = t. A couple of observations are useful for 
what follows. If s G T* and u G then s' [u/vseq{s')] G T*. Moreover 

vseq{s' [u/ vseq{s')]) = vseq{u). 

The logical theory underlying a CLP constraint system [16] is denoted by 
T. To simplify the notation, we drop the outermost universal quantifiers from 
(closed) formulas so that if F is a formula with free variables Z, then we write 
T ^ F to denote the expression T \= VZ : F. 

The notation f : A ^ B signifies that / is a partial function from A to B. 

3 Making the Herbrand Information Explicit 

A quite general picture for the analysis of a CLP language is as follows. We 
want to describe a (possibly infinite) set of constraint stores over a tuple of 
variables of interest V = (Vi, . . . , 14). Each constraint store can be represented, 
at some level of abstraction, by a formula of the kind 3a ■ ((C = t) A C), 
where (V = t), with t G is a system of Herbrand equations in solved 

form, C G is a constraint on the concrete constraint domain C^, and the set 
A = vars{C) U vars{t) is such that A f] V = 0. Roughly speaking, C limits 
the values that the quantified variables occurring in t can take. Notice that this 
treatment does not exclude the possibility of dealing with domains of rational 
trees: the non-Her brand constraints will simply live in the constraint component. 
For example, the constraint store resulting from execution of the SICStus goal 
‘?- X = f (a, X)’ may be captured by 3X . ({14 = X}AX = /(a, A)) but also 
hy 3X . {{Vi = f{a,X)} A X = f{a,X)). 

Once variables V have been fixed, the Herbrand part of the constraint store 
can be represented as a fc-tuple of terms. We are thus assuming a concrete domain 
where the Herbrand information is explicit and other kinds of information are 
captured by some given constraint domain . For instance, if the target language 
of the analysis is CLP(F) [17], may encode conjunctions of equations and 
inequations over arithmetic expressions, the mechanisms for delaying non-linear 
constraints, and other peculiarities of the arithmetic part of the language. We 
assume constraints are modeled by logical formulas, so that it makes sense to 
talk about the free variables of G denoted by FV{C^). These are the 
variables that the constraint solver makes visible to the Herbrand engine, all the 
other variables being restricted in scope to the solver itself. Since we want to 
characterize any set of constraint stores, our concrete domain is 

= U p({ I s G T^, G C\ FV{&) c vars{s) }) 

neN 

partially ordered by subset inclusion. 
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Fig. 1. Upgrading a domain with structural information. 



An abstract interpretation [12] of can be specified by choosing an ab- 
stract domain V'^ and a suitable abstraction function a : ^ VK If V'^ is not 

able to encode enough structural information from so as to achieve the de- 
sired precision, it is possible to improve the situation by keeping some Herbrand 
information explicit. One way of doing that is to perform a change of representa- 
tion for T>^ and use the new representation as the basis for abstraction. The new 
representation is obtained by factoring out some common Herbrand information. 
The meaning of ‘some’ is encoded by a function. 

Definition 1. (Common anti-instance function.) For each n G N, a func- 
tion 4>'- p(Tz) ^ T^/ is called a common anti-instance function if and only if 
the following holds: whenever T G p(T”), if (f>{T) = f' and |uars(r)| = m with 
m > 0, then \/t G T : 3u G T™ . f' [u/vseq{r')] = t. In words, (j){T) is an 
anti-instance [18], in 2 ,' -form, of each i G T. 

Any choice of (j) induces a function T* x V^, which is given, 

for each G T>\ by = (s, { (u,G^) | (t,G^) G E\s'[u/vseq{s')] = t }), 

where s' = ^(7Ti(if*’)). The corestriction to the image of that is the function 
Ffj,: ^ <P,p(fD^), is an isomorphism, the inverse being given, for each E^ GT>^ , 

by d>f\{s, E^)) = { {s' [u/vseq{s ')] , G^) | {u, G^) GE^}. 

So far, we have just chosen a different representation for , that is <P,j,{T>^y 
The idea behind structural information analysis is to leave the first component 
of the new representation (the pattern component) untouched, while abstracting 
the second component by means of a, as illustrated in Figure 1. The dotted 
arrow indicates a residual abstraction function a'. As we will see in Section 4.2, 
such a function is implicitly required in order to define an important operation 
over the new abstract domain T* x Notice that, in general, a' does not make 
the diagram of Figure 1 commute. 

This approach has several advantages. First, factoring out common structural 
information improves the analysis precision, since part of the approximated k- 
tuples of terms is recorded, in concrete form, into the first component of T* x . 
Secondly, the above construction is adjustable by means of the parameter (j). The 
most precise choice consists in taking ^ to be a least common anti-instance (lea) 
function. For example, the set E^ = {((s(0), Zi), Gi), ((s(s(0)), Zi), G 2 )}, is 
mapped onto ^ica(A*’) = ((s(Zi), Z 2 ) , {((0, Zi), Gi), ( (s(0), Zi) , G 2 )}), where 
Gi,G 2 G . At the other end of the spectrum is the possibility of choosing 
4> so that it returns a /c-tuple of distinct variables for each set of /c-tuples of 
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terms. This corresponds to a framework where structural information is simply 
discarded. With this choice, would be mapped onto ((Zi, Z 2 ), if*’) . In-between 
these two extremes there are a number of possibilities that help to manage the 
complexity/precision tradeoff. The tuples returned by (j) can be limited in depth, 
for instance. Another possibility is to limit them in size, that is, limiting the 
number of occurrences of symbols or the number of variables. This flexibility 
enables the analysis’ domains to be designed without considering the structural 
information: the problem for the domain designers is to approximate the elements 
of X C^) with respect to the property of interest. It does not really matter 

whether k is fixed by the arity of a predicate or k is the number of variables 
occurring in a pattern. 

4 Parametric Structural Information Analysis 

In this section we describe how a complete abstract semantics — which includes 
an abstract domain plus all the operations needed to approximate the concrete 
semantics — can be turned into one keeping track of structural information. 

We first need some assumptions on the domain C*’, which represents the non- 
Herbrand part of constraint stores. Following [14], it is not at all restrictive to 
assume that, in order to define the concrete semantics of programs, four opera- 
tions over need to be characterized. These model the constraint accumulation 
process, parameter passing, projection, and renaming apart (see also [1,2] on 
this subject). 

Constraint accumulation is modeled by the binary operator ‘0’: C*’xC^ ^ 
and the unsatisfiability condition in the constraint solver is modeled by the 
special value T*’ S Notice that, while ‘0’ may be reasonably expected to 
satisfy certain properties, such as VC'*’ € C*’ : 0 C*’ = these are not really 

required for what follows. The same applies to all the other operators we will 
introduce: only properties that are actually used will be singled out. 

Parameter passing requires, roughly speaking, the ability of adding equality 
constraints to a constraint store. Notice that we assume and its operations 
encode both the proper constraint solver and the so called interface between the 
Herhrand engine and the solver [16]. In particular, the interface is responsible for 
type- checking of the equations it receives. For example in CLP(T^) the interface is 
responsible for the fact that X = a cannot be consistently added to a constraint 
store where X was previously classified as numeric. 

Another ingredient for defining the concrete semantics of any CLP system 
is the projection of a satisfiable constraint store onto a set of variables. This is 
modeled by the family of operators { ^ C*’ | A G pi{Vars) }. If Z\ is a 

finite set of variables and C'^ G represents a satisfiable constraint store (i.e., 

yf T*’), then C*’ represents the projection of onto the variables in A. 

For each s,t G T*, we write Qsitf) (read “rename i away from s”) to de- 
note t\Zn+il Z\, . . . , Zn+ra! Zm\, where n = |t'ars(s)| and m = \vars{t)\. The 
g operator is useful for concatenating normalized term-tuples, still obtaining a 
normalized term-tuple, since we have s:: gs{t) G T*. The renaming apart has to 
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be extended to elements of . Let & & such that FV{C^) C vars{t). Then 
Ps((t, C^)) denotes the pair (pg(t),C^), where G is obtained from by 
applying the same renaming applied to i in order to obtain gs(t)- 

Term tuples are normalized by a normalization function rj : ^ T* such 

that, for each u G the resulting tuple ri{u) G T* is a variant of u. As for 

Q, the normalization function has to be extended to elements of T>^ . Suppose 
that G*’ G C'’ where FV{G'’) C vars{u). then rj{(u,G^)) denotes {rj{u),G\) G 
where it is assumed that G\ can be obtained from G^ by applying the same 
renaming applied to u in order to obtain r]{u). 

We will now show how any abstract domain can be upgraded so as to capture 
structural information by means of the Pattern(-) construction. Then we will 
focus our attention on the abstract semantic operators. 

4.1 From to Pattern(X>'*) 

Since one of the driving aims of this work is maximum generality, we refer to a 
very weak abstract interpretation framework [ 12 ]. To start with, we assume very 
little on abstract domains. 

Definition 2. (Abstract domain for V'^.) An abstract domain for is a set 

equipped with a preorder relation GIV^ y~V'^ , an order preserving function 
and a least element T** such that 7(T**) = 0 . Moreover, 7 is such 
that if (pi, G*”) G 7(ift*), and T ^ G^ ^ Pi = p2, then r][{p2, G^)) G 

Informally, is a set of abstract properties on which the notion of “relative 
precision” is captured by the preorder Moreover, is related to the concrete 
domain by means of a concretization function 7 that specifies the soundness 
correspondence between and The distinguished element T** models an 
impossible state of affairs. In this framework, d^ G P** is a safe approximation of 
d'’ G if and only if df C -f{d^). 

Suppose we are given an abstract domain complying with Definition 2 . Here 
is how it can be upgraded with explicit structural information. 

Definition 3. (The Pattern(-) construction. ) Let 'D'^ he an abstract domain 
for and let 7 be its concretization function. Then 

Pattern(I?“‘) = {T“} U { (s, A“) G T* x 1 ?“ -f(E^) C x }. 

The meaning of each element (s, E'^) G Pattern(I?l*) is given by the concretization 
function 7^: Pattern(I?l*) ^ such that 7p(T®) = 0 and 

lp{is,E^)) = 1 77 ((r, G^)) 

We also define the binary relation ‘<p ’ C Pattern(I?l*) x Pattern(I?l*) given, for 
each d{,dl G Pattern(T>t*), by d\ :<p TpiA.) — 7p(^2)- 
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It can be seen that Pattern(I?l*) is an abstract domain in the sense of Definition 2 
provided is. Thus Pattern(I?l*) can constitute the basis for designing an ab- 
stract semantics for CLP. This will usually require selecting an abstract semantic 
function on Pattern(I?l^), an effective convergence criterion for the abstract itera- 
tion sequence (notice that the and relations are not required to be com- 
putable), and perhaps a convergence acceleration method ensuring rapid termi- 
nation of the abstract interpreter [12]. The last ingredient to complete the recipe 
is a computable way to associate an abstract description S G Pattern(I?t*) to 
each concrete property d!’ G T>^ . For this purpose, the existence of a computable 
function Pattern(I?t*) such that, for each d!’ G T>^ , d!’ C 7p(ap(d^)) is 

assumed. 

While one option is to design an abstract semantics based on Pattern(I?l*) 
from scratch, it is more interesting to start with an abstract semantics cen- 
tered around T>K In this case, it is possible to systematically lift the semantic 
construction to Pattern(I?l*). 

4.2 Operations over T>^ and Pattern(X>l*) 

We now present the abstract operations we assume on and the derived oper- 
ations over Pattern(I?l*). Each operator on is introduced by means of safety 
conditions that ensure the safety of the derived operators over Pattern(I?l*). 

Given the abstract domain, there are still many degrees of freedom for the 
design of a constructive abstract semantics. Thus, choices have to be made in 
order to give a precise characterization. In what follows we continue to strive for 
maximum generality. Where this is not possible we detail the design choices we 
have made in the development of the China analyzer [1]. While some things may 
need adjustments for other analysis frameworks, the general principles should 
be clear enough for anyone to make the necessary changes. 



Meet with Renaming Apart We call meet with renaming apart (denoted 
by ‘>’) the operation of taking two descriptions in and, roughly speaking, 
juxtaposing them. This is needed when “solving” a clause body with respect to 
the current interpretation and corresponds, at the concrete level, to a renaming 
followed by an application of the ‘G’ operator. Its counterpart on Pattern(I?l*) 
is denoted by ‘rmeet’ and defined as follows. 

Definition 4. (‘>’ and ‘rmeet’) Let x'D'^ ^ be such that, for each 

eIeIgvK 



7( e “ > Ei) 



7?((f,GjcG^)) 



(fi,Cj)G7(Gf) ] 

(r-2,G^)G7(4) I 

(w2,Gi) = 

Th(GjcG^)^f = fi::u;2 . 



Then, we define rmeet((si, eJ), (s2, G^)) = (si :: gsi(s2), g} > G^), for each 
(si, gJ), (s2, g|) G Pattern(T>*). 
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A consequence of this definition is that there is no precision loss in ‘rmeet’ [3]. 

Parameter Passing Concrete parameter passing is realized by an extended 
unification procedure. Unification is extended because it must involve the con- 
straint solver (s). Remember that our notion of “constraint solver” includes also 
the interface between the Her brand engine and the proper solver [16]. The in- 
terface needs to be notified about all the bindings performed by the Herbrand 
engine in order to maintain consistency between the solver and the Herbrand 
part. We also assume that CLP programs are normalized in such a way that 
interpreted function symbols only occur in explicit constraints (note that this 
is either required by the language syntax itself, as in the case of the clp(Q, R) 
libraries of SICStus Prolog, or is performed automatically by the CLP system) . 

At the abstract level we do not prescribe the use of any particular algorithm. 
This is to keep our approach as general as possible. For instance, an implemen- 
tor is not forced to use any particular representation for term-tuples (as in [11]). 
Similarly, one can choose any sound unification procedure that works well with 
the selected representation. Of particular interest is the possibility of choosing 
a representation and procedure that closely match the ones employed in the 
concrete language being analyzed. In this case, all the easy steps typical of any 
unification procedure (functor name/arity checks, peeling, and so on) will be 
handled, at the abstract level, exactly as they are at the concrete level. The only 
crucial operation in abstract parameter passing over Pattern(I?**) is the binding 
of an abstract variable to an abstract term. This is performed by first apply- 
ing a non-cyclic approximation of the binding to the pattern component and 
then notifying the original (possibly cyclic) binding to the abstract constraint 
component. The correctness of this approach can be proved [3] by assuming 
the existence of a bind operator on the underlying abstract constraint system 
satisfying the following condition. 

Definition 5. (bind) Let E'^ be a description such that 7 (U**) C T™ x . 

Let Z = {Zi,...,Zm), u G T^, vseq{u) = (Zj-^, . . . , Zj^) and let 1 < h < m. 
Then, define (/ci,...,fcmj = {{I, . . . ,h - 1) {{ji, . . . , ji)\{l, . . . ,h-l}) w {{h + 
1. ■ • • , w) \ {ji, . . If e\ = hYad{E^,u,Zh), then, 



i{e\) a < 


/ 


{P,&)G-f{E^) 

P= 

q= (pfei,...,pfc„J 




9 is an idempotent substitution > 

FV{C\) C vars{q9) 

T h 0 ^ (^; = u')[p/Z'] 




< 


^^C\^{{Z'^ = u')[p/Z']F&)9 



Note that mi = m — 1 if Zh ^ vars{u), and m\ = m, otherwise. 

To motivate and explain the above condition on e\ = bind(if**,M, Zh), sup- 
pose that p is the pattern component and C'^ the constraint component of an 
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element in the concretization of EK Now, the pattern components of elements of 
the abstract domain Pattern(I?l*) are always in normal form and thus, after ap- 
plying the binding to an element of E'^ , we must apply the normalization 

function so that the result is also in Pattern(I?l*). This will first remove the h-th 
term Zh in the case that does not occur in u and then permute the remaining 
elements of Z. A corresponding operation is applied to the pattern p. That is, 
q is constructed from p first by removing the h-th term ph in the case that Z^ 
does not occur in u and then by applying the same permutation as before on the 
remaining elements of p. As a most general solution (j) to (Z^ = u')[p/ Z'] may 
be cyclic, only an approximation of (j), the idempotent substitution 9, is applied 
to q. The actual solution (j) together with C^9 is captured by the constraint Cj. 
Finally, note that the new pattern component qO may not be in normal form, so 
that in the condition for bind it is the normalized variant of {q9,C\) that must 
be in the concretization of e\. 

We refer the reader to [3] for a description of how any correct unification 
algorithm can be transformed into a correct (abstract) unification algorithm for 
Pattern(I?l^) using the bind operator and the normalization function rj. 

Projection When all the goals in a clause body have been solved, projection is 
used to restrict the abstract description to the tuple of arguments of the clause’s 
head. The projection operations on T>^ consist simply in dropping a suffix of 
the term-tuple component, with the consequent projection on the underlying 
constraint domain. 

Definition 6. (‘project^’) { project^: I?'’ ^ | fc G N } is a family of opera- 

tions such that, for each k GN and each (u,C^) G with |m| > k, if we define 
A = vars (j>rehxf.{u)) , </ien project^(rt, C'*’)) = (prefixj,(tt), C'*’) . 

We now introduce the corresponding projection operations on Pattern(I?l^) 
and, in order to establish their correctness, we impose a safety condition on the 
projection operations of . 

Definition 7. and project^) Assume we are given a family of operations 
^ I fc G N} such that, for each E"^ G T>'^ with ^{E^) C T™ x & 
and each k < m, 2 {project^(u,C^)) | {u,&) G -i{E^)). Then, 

for each (s, E'^) G Pattern(I?l*) such that s G T™ and each k < m, we define 
project^ ((s, if**)) = (prefixj,(s), A**), where j = [wars (prefix^(s)) I . 

With these definitions ‘project J,’ is correct with respect to ‘project^’ [3]. 

Remapping The operation of remapping is used to adapt a description in 
Pattern(I?l*) to a different, less precise, pattern component. Remapping is essen- 
tial to the definition of various join and widening operators. Consider a descrip- 
tion (s, e\) G Pattern(T>**) and a pattern f' G T*, such that f' is an anti-instance 
of s. We want to obtain E^ G I?** such that 7 p((f, Ap)) D 7 p((s, iff)). This is 
what we call remapping (s, E^) to f' . 
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Definition 8. (‘remap’) Let (s, E^) G Pattern(I?®) be a description with s G 
and let f' G T^, he an anti-instance of s. Assume also |wars(r)| = m and let 
u G T™ he the unique tuple such that f' \u/ vseq{f')\ = s. Then the operation 
remap(s, r') yields such that ^{Ef) D 7 p((u, _Eg)). 

Observe that the remap function is closely related to the residual abstraction 
function a' of Figure id With this definition, the specification of ‘remap’ meets 
our original requirement [3] . 



Upper Bound Operators A concrete (collecting) semantics for CLP will typ- 
ically use set union to gather results coming from different computation paths. 
We assume that our base domain captures this operation by means of an 
upper bound operator ‘0’. Namely, for each e\,e\ G 'D'^ and each t = 1, 2, 
we have that e\ ^ e\(B e\. This is used to merge descriptions arising from the 
different computation paths explored during the analysis. 

The operation of merging two descriptions in Pattern(I?^) is defined in terms 
of ‘remap’. Let (si,if}) and (s 2 ,e\) be two descriptions with si,S 2 G T^. The 
resulting description is (r, EltBE^), where r' G T^, is an anti-instance of both si 
and S 2 , and E^ = remap(si, iff , r'), for i= 1, 2. We note again that f' might be 
the least common anti-instance of si and S 2 , or it can be a further approximation 
of lca(si, S 2 ): this is one of the degrees of freedom of the framework. Thus, the 
family of operations we are about to present is parameterized with respect to a 
common anti-instance function and the analyzer may dynamically choose which 
anti-instance function is used at each step. 

Definition 9. (‘join^’) Let 4> he any common anti-instance function. The op- 
eration (partial function) ]om^: pf (Pattern(I?t*)) ^ Pattern(I?l*) is defined as 
follows. For each k G N and each finite family F = {(si,iff) | z G / } of el- 
ements 0 / Pattern(I?t*) such that Si G for each i G I, )om^{F) = (f,E^), 
where f' = ^({ Sj | z G / }) and E'^ = 0.^^ remap (si, iff , r'). 

If (j) is any common anti-instance function then ‘join^^’ is an upper bound 
operator [3]. 



Widenings It is possible to devise a (completely unnatural) abstract domain 
that enjoys the ascending chain condition^ still preventing Pattern(I?l*) from 
possessing the same property. This despite the fact that any element of T” has 
a finite number of distinct anti-instances in T”, . However, this problem is of 
no practical interest if the analysis applies ‘join^’ at each step of the iteration 
sequence. In this case, if we denote by (sj,iff) G Pattern(T>t*) the description at 
step j G N, we have (s^+i, iff_|_;^) = Join 0 ({(si, iff), •■•}), assuming no widening 

^ Indeed, one can define a' = \{s, if**) G x O** . remap(s, if**, (Z(, . . . , Z'f()f 
^ Namely, each strictly increasing chain is finite. 
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is employed. This implies that is an anti-instance of Si. As any ascending 
chain in T” is finite, the iteration sequence will eventually stabilize if enjoys 
the ascending chain condition. 

In some cases, however, rapid termination of the analysis on can only be 
ensured by using one or more widening operators V : I?** x X)tt ^ x>ti [13], These 
can be lifted to work on Pattern(I?l*). As an example, we show the default lifting 
used by the China analyzer: 



widen((si, a}),(s2,£1|)) 



(s 2 ,E^), if Si yf S 2 ; 

(s2,Afv4), ifsi = S2. 



( 1 ) 



This operator refrains from widening unless the pattern component has stabi- 
lized. A more drastic choice for a widening is given by 

Widen((si, a}), (s2,il2)) = («2, remap(si, s'2) V £^|). ( 2 ) 

Widening operators only need to be evaluated over (si,a}) and (s2,if2) when 
s'2 is an anti-instance of si. Thus, as satisfies the ascending chain condition, 
‘widen’ and ‘Widen’ are well-defined widening operators on Pattern(I?l*) [3]. 

Besides ensuring termination, widening operators are also used to accelerate 
convergence of the analysis. It is therefore important to be able to define widen- 
ing operators on Pattern(I?l*) without relying on the existence of corresponding 
widenings on T>'^ . There are many possibilities in this direction and some of them 
are currently under experimental evaluation. Just note that any upper bound op- 
erator ‘join^’ can be regarded as a widening as soon as the common anti-instance 
function (j) is different from the lea. In order to ensure the convergence of the 
abstract computation, we will only consider widening operators on Pattern(I?l^) 
satisfying the following (very reasonable) condition: if (s, E'^) is the result of the 
widening applied to (si, sf) and (s2j E2), where s'2 is an anti-instance of si, then 
s' is an anti-instance of S2. Both widen and Widen comply with this restriction. 



Comparing Descriptions The comparison operation on Pattern)!?**) is used 
by the analyzer in order to check whether a local fixpoint has been reached. 

Definition 10. (‘compare’) Let X !?** be a computable preorder that 

correctly approximates that is, for each £*}, G !?**, we have e\ ^ when- 
ever e\ e\. The approximated ordering relation over Pattern)!?**), denoted by 
‘compare 'C Pattern)!?**) x Pattern)!?**), is defined, for each (si, e{), (s 2 , E^) G 
Pattern)!?**), by compare((si, ifj), (s2, £*2)) (si = S2 A E^ ^ £2) • 

It must be stressed that the above ordering is “approximate” since it does not 
take into account the peculiarities of !?**. More refined orderings can be obtained 
in a domain-dependent way, namely, when !?** has been fixed. It is easy to show 
that compare is a preorder over Pattern)!?**) that correctly approximates the ap- 
proximation ordering ‘^p’ [3]. The ability of comparing descriptions only when 
they have the same pattern is not restrictive in our setting. Indeed, the definition 
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of and the condition we imposed on widenings ensure that any two descrip- 
tions arising from consecutive steps of the iteration sequence are ordered by the 
anti-instance relation. When combined with the ascending chain condition of 
the pattern component, this allows to inherit termination from the underlying 
domain T>'^ . 

5 Experimental Evaluation 

We have conducted an extensive experimentation on the analysis using the 
Pattern(-) construction: this allowed us to tune the implementation and gain 
insight on the implications of keeping track of explicit structural information. 
To put ourselves in a realistic situation, we assessed the impact of the Pattern(-) 
construction on Modes, a very precise and complex domain for mode analy- 
sis. This captures information on simple types, groundness, boundedness, pair- 
sharing, freeness, and linearity. It is a combination of, among other things, two 
copies of the GER representation for Pos [5] — one for groundness and one 
for boundedness — and the non-redundant pair-sharing domain PSD [4] with 
widening as described in [22] . Each of these domains has been suitably extended 
to ensure correctness and precision of the analysis even for systems that omit 
the occur-check [1,15]. Some details on how the domains are combined can be 
found in [6]. 

The benchmark suite used for the development and tuning of the China 
analyzer is probably the largest one ever employed for this purpose. The suite 
comprises all the programs we have access to (i.e., everything we could find by 
systematically dredging the Internet): 300 programs, 16 MB of code, 500 K lines, 
the largest program containing 10063 clauses in 45658 lines of code. 

The comparison between Modes and Pattern(Mo(ies) involves the two usual 
things: precision and effiiency . However, how are we going to compare the 
precision of the domain with explicit structural information with one without 
it? That is something that should be established in advance. Let us consider a 
simple but not trivial Prolog program: mastermind. pi. ^ Consider also the only 
direct query for which it has been written, ‘?- play.’, and focus the attention 
on the procedure extend_code/l. A standard goal-dependent analysis of the 
program with the Modes domain is only able to tell something like 

extend_code (A) :- list (A). 

This means: “during any execution of the program, whenever extend_code/l 
succeeds it will have its argument bound to a list cell (i.e., a term whose principal 
functor is either ’ . ’/2 or [] /O)”. Not much indeed. Especially because this can 
be established instantly by visual inspection: extend_code/l is always called 
with a list argument and this completes the proof. If we perform the analysis 
with Pattern(Mo(ies) the situation changes radically. Here is what such a domain 
allows China to derive:^ 

® Available at http://www.cs.unipr.it/China/Benclimarks/Prolog/mastermind.pl. 
^ Some extra groundness information obtained by the analysis has been omitted. 
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Table 1. A summary of the Modes precision gained using structural information. 



extend_code( [( [A|B] ,C,D) |E] ) list(B), list(E), 

(functor (C, _ , 1) ; integer (C) ) , (functor (D, _ , 1) ; integer (D) ) , 
ground ( [C , D] ) , may_share ( [ [A , B , E] ] ) . 

Under the circumstances mentioned above, this means: “the argument of pro- 
cedure extend_code/l will be bound to a term of the form [([A|B] ,C,D) |E], 
where B and E are bound to list cells; C is either bound to a functor of arity 1 or 
to an integer, and likewise for D; both C and D are ground, and (consequently) 
pair-sharing may only occur between A, B, and E”. 

It is clear that the analysis with Pattern(Mo(ies) yields much more informa- 
tion. However, it is not clear at all how to define a fair measure for this precision 
gain. The approach we have chosen is simple though unsatisfactory: throw away 
all the structural information at the end of the analysis and compare the usual 
numbers (i.e., number of ground variables, number of free variables and so on). 
With reference to the above example, this metric pretends that explicit structural 
information gives no precision improvements on the analysis of extend_code/l 
in mastermind.pl. In fact, once all the structural information has been dis- 
carded, the analysis with Pattern(Mo(ies) only specifies that, upon success, the 
argument of extend_code/l will be a list cell. In other words, we are measuring 
how the explicit structural information present in Pattern(Mo(ies) improves the 
precision on Modes itself, which is only a tiny part of the real gain in accuracy. 
The value of this extra precision can only be measured from the point of view 
of the target application of the analysis. 

It is important to note that the experimental results we are about to report 
have been obtained without using any widening on the pattern component. The 
widening operations are only propagated to the underlying Modes domain by 
means of the ‘widen’ operator given in Eq. (1). Moreover, the merge operation 
employed is always ‘joinj^.^,’. For space limitations, here we can only summarize 
the results of the experimentation. The interested reader can find all the details 
at http://www.cs.unipr.it/China. As far as precision is concerned, we mea- 
sure five different quantities: the total number of independent argument pairs 
{indep); the total number of ground argument positions; the total number of 
linear argument positions; the total number of free argument positions; and the 
total number of bound (or nonvar) argument positions. 




Efficient Structural Information Analysis for Real CLP Languages 



203 



time difference in seconds 


# prog. 


% prog. 




GI 


GD 


GI 


GD 


degradation > 1 


9 


20 


100.0 


100.0 


0.5 < degradation < 1 


2 


4 


97.0 


93.3 


0.2 < degradation <0.5 


15 


18 


96.3 


92.0 


degradation <0.2 


105 


106 


91.3 


86.0 


same time 


90 


77 


56.3 


50.7 


improvement <0.2 


34 


31 


26.3 


25.0 


0.2 < improvement < 0.5 


11 


11 


15.0 


14.7 


0.5 < improvement < 1 


9 


5 


11.3 


11.0 


improvement > 1 


25 


28 


8.3 


9.3 



Table 2. A summary on efficiency: the distribution of analysis time differences. 



Since we are completely disregarding the precision gains coming from struc- 
tural information in itself, our results give a (very pessimistic) lower bound on 
the overall precision improvement. The results are summarized by partitioning 
the benchmark suite into six classes of programs, identified by the percentage 
increase in precision due to the Pattern(-) construction. Table 1 gives the car- 
dinalities of these classes for both goal-independent (GI) and goal-dependent 
(GD) analyses. A precision increase, on at least one of the measured quanti- 
ties, is observed on more than one third of the benchmarks. The only precision 
decrease is due to the interaction between the Pattern(-) construction and the 
widenings used in the Modes domain. It is also worth observing that, on average, 
goal-dependent analysis is more likely to benefit from the addition of structural 
information. 

In order to evaluate the impact on efficiency of the Pattern(-) transformation 
we computed the fixpoint evaluation time for all the programs, both with the 
Modes and with the Pattern(Modes) domains. Results are summarized by parti- 
tioning the benchmark suite into a number of classes and giving the cardinality 
of each class. As a first parameter, we considered the absolute time difference 
observed for each program.® Table 2 gives the cardinality of 9 classes, distin- 
guishing between GI and GD analyses. The numbers show that the full range of 
possible behaviors is indeed observable. Quite surprisingly, it is not uncommon, 
although inherently more precise and complex, for the case with the Pattern(-) 
construction to result in significant time improvements. The reason for this is 
only partly due to the enhanced ability of the Pattern component to be able to 
detect and hence prune failed computation paths. Most importantly, the descrip- 
tion of a set of tuples of terms in Pattern(Modes) is often much more efficient 

® As the benchmark suite comprises several real programs of very respectable size, we 
believe that absolute time comparison is what really matters to assess the feasibility 
of the Pattern(-) construction with respect to the underlying domain. A time dif- 
ference less than one second is an approximation of “the user will not notice.” The 
experiments were conducted on a PC equipped with an AMD Athlon clocked at 700 
MHz, 256 MB of RAM, and running Linux 2.2.16. 
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Table 3. A summary on efficiency: the distribution of analysis times. 



than the corresponding description in Modes . Percentages in the columns on the 
right show how many programs are at least as good as the corresponding class. 
For instance, more than 85% of the benchmarks either reduce the analysis time 
or increase it by at most 0.2 secs. Since the occasional bad-behaving cases can be 
dealt with by defining a suitable widening operator on the pattern component, 
these results disprove the common belief that structural information has a heavy 
impact on the efficiency of the analysis. 

As a second criterion, Table 3 partitions the benchmark suite into 7 classes 
based on their total fixpoint computation time, again distinguishing between 
GI and GD analysis. The columns labeled ‘diff.’ show how each class grows 
or shrinks because of the addition of structural information. It can be seen 
that the Pattern(-) construction causes only a minor change to the distribution, 
decreasing the number of benchmarks in both the fastest and the slowest classes. 

6 Related Work 

The use of explicit structural information has also been studied in [7], where 
abstract equation systems are integrated into an analysis domain tracking set- 
sharing, freeness, linearity and compoundness. While allowing for an implemen- 
tation independent definition, this proposal still assumes the occur-check, there- 
fore resulting in an unsound analysis for implemented GLP languages. An exper- 
imental evaluation on a small benchmark suite (19 programs) was reported by 
Mulkers et al. in [19,20]. Here the investigation mainly focused on the compari- 
son between different instances of the underlying domain, showing the positive 
impact of freeness and linearity information on both the precision and perfor- 
mance of the classical set-sharing analysis. The experiments on the integration 
of structural information, by means of a depth-k abstraction (replacing all sub- 
terms occurring at a depth greater or equal to k with fresh abstract variables) 
for values of k between 0 and 3, showed that the domain they employed was 
not suitable to the analysis of real programs and, in fact, even the analysis of a 
modest-sized program like ‘ann’ could only be carried out with depth-0 abstrac- 
tion (i.e., with no structural information at all). 
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In [8], an alternative technique is proposed for augmenting a data-flow anal- 
ysis with structural information. Instead of upgrading the analysis domain, this 
technique relies on program transformations. In this approach, called untupling, 
the data-flow analysis of a given program would be performed in four distinct 
phases. This new analysis technique is advocated for its simplicity and efficiency. 
Comparing their limited experimental evaluation to the one conducted in [11], 
the authors of [8] claim that the untupling approach is inherently more efficient 
than abstract domain enhancement. Our new performance results suggest that 
this conclusion may need reconsidering. On the other hand, the proposal in [8] 
may be simpler to implement despite the four phases required, especially if one 
has to start from scratch. However, the Pattern(-) construction, besides being 
more precise and particularly efficient, is already implemented and has been 
thoroughly tested on a large number of benchmarks using the very expressive 
abstract domain Modes. Furthermore, as the implementation is in the form of a 
C++ template, only a very limited effort is required to upgrade any other abstract 
domain with structural information. 

7 Conclusion 

We have presented the rational construction of a generic domain for structural 
analysis of real CLP languages: Pattern(I?l*), where the parameter is an 
abstract domain satisfying certain properties. We build on the parameterized 
Pat (5ft) domain of Cortesi et al. [10,11], which is restricted to logic programs and 
requires the occur-check to be performed. However, while Pat (5ft) is presented 
as a specific implementation of a generic structural domain, our formalization is 
implementation-independent. Reasoning at a higher level of abstraction we are 
able to appeal to familiar notions of unification theory, while leaving considerable 
more latitude for the implementer. Indeed our results show that, contrary to 
popular belief, an analyzer incorporating structural information analysis based 
on our approach can be highly competitive even from the efficiency point of view. 
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Abstract. Alpha-Beta is a well known optimized algorithm used to 
compute the values of classical combinatorial games, like chess and check- 
ers . The known proofs of correctness of Alpha-Beta do rely on very 
specific properties of the values used in the classical context (integers 
or reals), and on the finiteness of the game tree. In this paper we prove 
that Alpha-Beta correctly computes the value of a game tree even when 
these values are chosen in a much wider set of partially ordered domains, 
which can be pretty far apart from integer and reals, like in the case 
of the lattice of idempotent substitutions or ex-equations used in logic 
programming. We do so in a more general setting that allows us to deal 
with infinite games, and we actually prove that for potentially infinite 
games Alpha-Beta correctly computes the value of the game whenever 
it terminates. This correctness proofs allows us to apply Alpha-Beta to 
new domains, like constraint logic programming. 



1 Introduction 

Game theory has found various applications in the research field of program- 
ming languages semantics, so that game theory is a very active research subject 
in computer science. After the preliminary works of Lamarche [11], Blass [2] and 
Joyal [9] in the early 90s, the works of Abramsky, Malacaria and Jagadeesan [1] 
lead to the first fully abstract semantics for functional (PCF) or imperative 
(Idealized Algol) languages. Then, more recently, specialists of Linear Logics got 
interested in links between games and the geometry of interaction [13], whereas 
Curien and Herbelin showed that certain classical abstract machines could be 
interpreted in terms of games [4]. 

But these relevant works use more the vocabulary of games (player, move, game, 
strategy) than the results and the techniques of traditional Game Theory: typ- 
ically, nobody is interested to know, in those games, if there is a winner, and 
what he wins; the focus there is on the dynamic aspect of player interaction, and 
game composition, not on the only interesting notion of classical game theory, 
the gain. This should not be taken as a criticism, but as proof of the richness 
of Game Theory, which can be useful even when one only takes its vocabulary: 
the generality of the concepts it manipulates (arenas, multiple and indepen- 
dent agents, strategies of cooperation or of non-cooperation, quantification of 
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the remuneration after each game) and their intuitive nature, already provide a 
powerful metalanguage that allows us to tackle many of the aspects of modern 
programming languages. 

In a paper written with S. Nicolet [5], the authors showed for the first time that 
classical notions like payoff, propagation functions and evaluation of a game tree 
are not sterile in the semantics of programming languages, by introducing a two 
player combinatorial game whose value, defined by means of von Neumann’s 
MiniMax theorem [16], is the result of the execution of a logic program. In that 
work, we had to introduce an ad hoc framework to deal with substitutions as 
game values, and to prove the correctness of this game semantics with respect 
to the traditional semantics of logic programs [3] . 

In this paper, we present a general framework for classical two player games, but 
relaxing many traditional restrictions: infinite plays are allowed, values are no 
longer required to be totally ordered, and propagation functions can be chosen 
from a wide set of candidates. In this setting, the formal definition of the value 
of a game is given. 

Then, we focus on the problem of effiiently computing the value of the game, 
by using the Alpha-Beta algorithm, not just on the existence of the value as 
formally defined. 

Surprisingly enough, we can show that the Alpha-Beta algorithm computes the 
correct value of the game under a few general assumptions on the domain of 
values, thus greatly broadening its applicability: it can be, for example, used as 
a computational engine for logic programming. 

But we do not content ourselves with proving correctness of Alpha-Beta on 
games whose value domain is more abstract than the usual integers and reals; 
we go much further by introducing the notions necessary to deal with potentially 
infinite games, and we prove that Alpha-Beta is (partially) correct on potentially 
infinite games: whenever it terminates, it computes the value of the game. This 
step takes us out of the usual domain of combinatorial game theory, where game 
trees can be huge but not infinite, and this is, to our best knowledge, the first 
correctness proof in this setting. 

Then, we present an application to logic programming, and exhibit an example 
to show how Alpha-Beta can give us a significant gain in performance, or even 
terminate where other engines may loop. Finally, we conclude with a selection 
of future directions for research and application. 



2 An Abstract Theory of Two Players Combinatorics 
Games 

In this section, we introduce our formal framework for two player games, together 
with some fundamental notions, like that of a game-tree and the value of a finite 
game [14,15,6]. We then present the notion of an approximation of a game value, 
as is found in the theory of combinatorial games like chess or go, which are too 
big to be fully developed, and use it as a key notion to extend the framework to 
deal with infinite games too. 
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2.1 The Rules of the Game 

A two player game is the simplest game in combinatorial Game Theory: we find 
two players, Player and Opponent, each opposed to the other, that play in turn 
one after the other and that must behave rationally (i.e. their move are deter- 
ministic, and they both seek to win). The game is assumed to be finite, and once 
one knows the terminal position in a play, the gain (or loss) of each player is 
known also; besides, what one looses, the other wins, so there always is precisely 
one winner. 

A game is given once one knows its “syntax”, that is the set of all possible 
plays, and its “semantics”, that is the value of each of these plays (what Player 
gains or looses towards Opponent). We will formalize each of these aspects in 
turn, starting here from the “syntax” . 

2.2 Basic Definitions: Syntax 

There are two ways of knowing all possible plays, either by giving them exten- 
sively as a set, an approach quite inadequate to handle real-world games where 
this set can be enormous, even if finite; or by giving a set of “positions” and 
“rules” that allow to produce all possible plays (like in chess or go) [12]. 

We will take in what follows this second approach: the following definitions are 
essentially the traditional ones. 

Definition 1 (Syntax of a game). The syntax of a game is formally defined 
as a tuple 

G = {WPOS, EPOS, IPOS , ^n) 

Here WPOS is the set of Player position, while EPOS is the set of opponent 
positions and we write POS for the disjoint sum WPOS 0 EPOS, and tt for 
a generic position in POS. The third component, IPOS C POS is the set of 
initial positions in the game. Finally, POS x POS is a locally finite (i.e. 

only a finite number of pairs in the relation can share their first component) 
transition relation that represents all the possible moves in a play as transitions 
between positions. 

We require that the moves in the game are alternating, that is to say that when- 
ever (7T,7r') we have that if tt is a player position, then tt' is an opponent 

position and vice-versa. 

Defining is equivalent to defining a function moves : POS 2^^^ , whose 
value is moues(7r) = {tt' | tt tt'} and that explicitly gives the possible moves 
out of a given position. 

Once the syntax of a game is known, we have all the necessary information 
to determine when a game is finished (we have reached a terminal position, or 
not). 

Definition 2 (Terminal, non terminal positions). Given a game G, we 
identify the following derived notions 
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terminal positions TPOS = {tt € POS \ notBir' such that n tt'} 
player terminal positions WTPOS = TPOS n WPOS 
opponent terminal positions BTPOS = TPOS n BPOS 
non terminal positions NTPOS = {tt G POS \ 3tt' such that tt tt'} 
player non terminal positions W NTPOS = NTPOS n WPOS 
opponent non terminal positions B NT POS = NTPOS n BPOS 

Finally, all the possible plays starting from a given initial position can be 
represented as a tree, known as a game tree. 

Definition 3 (Game tree [14]). A game tree Pt^, for an initial position it, is 
a tree having positions as nodes, and representing all possible plays starting at 
TT in the traditional way. Since a game tree can he infinite, it should he formally 
defined as a fix-point of a suitable monotone function, but we do not enter into 
the details here. Since the relation is locally finite, the game tree is finitely 
branching. A game is finite if its game tree is, infinite otherwise. 

2.3 Basic Definitions: Semantics 

It is now time to turn to the essential aspect of a game in classical game theory: 
its value. To each terminal position, which is reached when a play is complete, 
is associated a gain for Player, taken out of some domain D (traditionally, the 
integers), given by an evaluation function h. Of course, this gain for Player is 
actually a loss for opponent, and given a set of possible moves. Player chooses 
the move that maximizes its gain, while Opponent chooses the move that min- 
imizes its loss; this rational choice can be abstracted by two functions | and J, 
on the domain of values. These functions usually operate on the set of possible 
choices to provide a value, but we prefer to see the choices presented orderly as 
a tuple, not a set, and we require that the result of the choice function is in- 
dependent of the order. All these elements give us the semantics part of the game. 



Definition 4 (Evaluation structure). An evaluation structure S is a tuple 



{D,Ui,h) 

where D is the domain of values, D" — > D and D” ^ D are functions of all 

finite arities n > 1 materializing the rational choices of Player and Opponent, 
and h : T POS ^ D is the evaluation function giving the value ( gain ) of each 
terminal position. We require the | and J, functions to be order-independent, 
that is, for any permutation cr : n ^ n, | (nij • • ■ ) On) =T (oo-i, • ■ • , Ocm) (and 
similarly for J , ). 

Remark 1. The requirement that the choice-functions be order-independent is 
not necessary for the proofs, that go through seamlessly without it. But the 
traditional framework of combinatorial games always enforces this condition, 
and we keep it here to make the presentation of the result more intuitive. 
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Given an evaluation structure, it is possible to compute the value of any 
finite game (this definition mirrors the traditional one). 

Definition 5 (Value of a finite game (Minimax propagation)). Given a 
game G and an evaluation structure, £ the function V al : POS D defined as 
follows associates to each position in G its value.' 



Val TT = 


h{Tr) 


if nG TPOS 


Val TT = 


t Vain' 


if nG W NT POS 




7t' £moves{7r) 




Val TT = 


1 Vain' 


if nG B NT POS 




7t' £moves{7r) 





2.4 From Huge to Infinite Games 

Many finite games, like chess and go and unlike tic-tac-toe, are so huge that 
computing their value is not feasible. This is why one needs sometimes to try 
to compute an approximation of the value of a game from a given position. For 
that, we simply stop exploring the huge tree at some internal nodes, whose value 
is arbitrarily provided by some heuristic function. We will see that, while heuris- 
tics are simply useful to approximate the value of huge finite games, they are 
essential to define the value of an infinite game. 

But to compute approximations, one needs to be able to compare values, that 
is, in what follows we assume that D is actually equipped with a partial order 
relation <. Also, for the approximations to be useful, it is necessary that the 
choice functions | and [ be monotone w.r.t. the product partial order induced 
on D” by <. 

In what follows, we will always assume this monotonicity, which is always satis- 
fied by the max and min functions used for traditional combinatorial games. 



Heuristics and approximations A heuristic function is just a function of type 
NT POS —>■ D assigning arbitrary values to nonterminal positions in a game, 
but only some heuristics are interesting, and one usually distinguish between 
optimistic and pessimistic heuristics according to the ability of the heuristic to 
provide an approximation greater of, or inferior to, the actual value. 

Definition 6 (Admissible heuristics). A heuristic function ip : NT POS 
D is an admissible pessimistic heuristic (resp. admissible optimistic heuristics ) 
for a finite game zj(f Vtt G NT POS. (pi^Tr) <ValTr {resp. >). 

Unfortunately, determining if a heuristic is admissible can be quite hard, and 
another definition can be more useful in practice: we say a heuristic is monotone 
if the approximation it provides are consistent among themselves. 
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Definition 7 (Monotone heuristics). A heuristic function Lp : NTPOS D 
is monotone pessimistic (resp. monotone optimistic^ iff : 



Vtt e NTPOS. 



f ip(7r) < h(7r') Vtt' s.t.K tt' andir' G TPOS {resp. >) 

( </j(7t) < iplir') Vtt' s.t. tt tt' anchr' € NTPOS {resp. >) 



Once we have a heuristic, we can build out of our evaluation structure a 
structure useful to compute approximations. 



Definition 8 (Approximation structure). A pessimistic approximation 
structure (resp. optimistic j is a tuple 



{D h , >p) 

where {D h) is an evaluation structure, and such that 

— t and I are monotone w.r.t. the product order induced on D” by < 

— the function : POS — > D defined as = (p(Bh (i.e. the disjunctive union 
of relations <p : NTPOS — > D and h : TPOS ^ D) satisfies: 

‘f'{'^)S T t'{'^') if tt GWNTPOS {resp. >) 

7t' ^moves^-rr) 



(P'{7t) < ^ i ip'{tt') 

7t' ^moves^-rr) 



ifjrGBNTPOS {resp. >) 



If D contains a minimal element _L, the heuristic Att.-L will give us a canonical 
pessimistic approximation structure. Similarly, if D contains a maximal element 
T, the heuristic Att.T will give us a canonical optimistic approximation structure. 

The monotonicity property allows us to easily prove the following result. 

Proposition 1 (Monotonicity and approximations). 

ff{D,<) is a distributive lattice, and we take ]= V (the sup) and (= A (the 
inf) on D, then any monotone pessimistic heuristics (resp. optimisticj gives 
raise to a pessimistic approximation structure (resp. optimistic/ 

Once we have an approximation structure at hand, we can compute an ap- 
proximation of the value of a game, by cutting the tree branches at some internal 
nodes, obtaining another (smaller) tree, and computing the value of this cut tree. 
Of course, the approximation thus computed depends on where the cut actually 
take place, so an approximation structure really gives rise to a whole set of 
approximations. This can be put more formally as follows: 

Definition 9 (Set of approximations of a game {SetOfValff)). 

Given a game G and an evaluation structure {D , T ji > h), and heuristic 
ip : NTPOS D, we define the approximation function for the game G, relative 
to ip, written SetOfVal^p : POS 2^ , as the smallest function S : POS 2^ 

(w.r.t. to the point-wise partial order on POS 2^ derived from the partial 
order C in 2^ ) such that: 
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1. S{tt) contains h{Tr) if tt G TPOS 

2. S{tt) contains the element ip{Tr) if tt G NTPOS 

n 

3. S{tt) contains the element '\ Vi if tt G W NTPOS , where moves{'K) = 

i=l 

{7Ti,7r2, . . . ,7T„} and Vi G S{TTi) 

n 

4- S{tt) contains the element [ Vi if tt G BNTPOS , where moves^ir) = 

i=l 

{7Ti,7r2, . . . ,7T„} and Vi G S{'Ki) 

We remark here that SetOfVal^{TT) is well defined for all positions tt as its 
value is the least fixed point of a monotone function over the complete lattice 
2^ , which always exists due to Knaster-Tarski’s fix-point theorem. 

Actually, this really defines a function SetOfVal : {NTPOS ^ D) ^ POS 
2^ , which we will apply to monotone heuristic functions in order to obtain a set 
of approximations having a reasonable algebraic structure. 

Proposition 2 (Algebraic structure of the monotone approximations). 

If {D 1 S , T ) i ; h j (p) is a pessimistic approximation structure (resp. 
optimistic then for all position tt G POS the set SetOfVal,p{Tr) e 2^ is an 
upper-semi-lattice (i.e. Va;,y G S.x\/ y G S) (resp. lower-semi-lattice^. 
Moreover, if the game is finite, then SetOfVal,p{Tr) contains its upper (resp 
lower) limit Valir. 

To put it in other terms, for finite games, given any monotone pessimistic 
heuristic hpess and any monotone optimistic approximation hopt, we have that 

SetOfValh^^,,{Tr) n SetOfValh^ptin) = Valn 



Example 1. In the following picture, we give the game tree of a finite game (on 
the left), and three smaller game trees obtained by cutting the full tree at some 
positions. The evaluation domain D is Nat x Nat with < the product order and 
we use the trivial heuristic hpess = A7t.( 0, 0). Each tree is labelled with its valu- 
ation (the values of the trees on the right approximations in SetOfValhp^„„{TT): 
notice that the set of approximations is not totally ordered. Terminal nodes are 
grey, no terminal are white; player nodes are circles, opponent nodes are squares, 
and cut nodes are crossed. 

( 1 , 3 ) ( 0 , 0 ) ( 1 , 2 ) ( 0 , 3 ) 




( 0 , 0 ) 



( 1 , 2 ) 



( 0 , 3 ) 



* 

( 1 , 2 ) 



( 0 , 3 ) 
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2.5 Infinite Games 

The framework set up to approximate the value of huge games can be used as 
is to handle infinite games too. Indeed the SetOfVal function, defined as we 
did, is well defined both on finite and infinite games. This allows us to formally 
define two canonical approximations of the value of an infinite game, as partial 
functions assigning to each position the limit of its approximations, if it exists. 

Definition 10 (Limit values of a game, value ). If (D , < , T , i 

, hpess , (fi) is a pessimistic approximation structure, then 

= sup SetOfValh„„,^{Tr) 

If {D 1 ) T ) i ) hopt , is an optimistic approximation structure, then 

SetO fValh,^,{-K) 

where we write x = y for “x is equal to y if y defined”. 

If they coincide, that defines the value Val tt of the infinite game on tt. 

Notice that is defined everywhere if the domain is a complete partial 

order (CPO), and V is defined everywhere if if the domain is a co-complete 
partial order (co-CPO). Also, on finite games both approximations coincide with 
the value of the finite game. 

Proposition 3 (Relating approximations). Given a pessimistic approxima- 
tion structure and an optimistic approximation structure sharing the same evalu- 
ation structure (hence different only for the heuristic functions, hpess and hopt ), 
such that hpessi'x) < hopti'x) for all non terminal positions tt, then we have that 

hpess{'x)<y yy € SetOfValh^pti'^) ; hopti'x) > x yx & SetOfValh^^.X'^) 

for all non terminal positions tt. 

Proof. We give the proof of the first inequality by induction on the definition of 
y G SetOfValh„pt. The second inequality is proved similarly. 

— Base case: y = hopti'x) and hpessi'x) < y by hypothesis 

— Inductive step: suppose tt G WNTPOS (the case tt G BNTPOS is proved 
similarly, using the monotonicity of J,); we have that 



n 

hpessi'^) < T hpessi^^i) bccausc (Tji,^pess) IS an approximation structure 
2=1 



n 

^ T 2/i by induction hypothesis and monotonicity of ( 

i=l 



y 
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Corollary 1 (Finite computations for infinite games). Under the hypoth- 
esis of the previous proposition, we only have two possible cases 

1. SetOfValhp„,,{7T) n SetOfValhpptin) = {t;} where v = Valir 

2. SetOfValhpp.^TT) n SetOfValuppX'^) = ® 

The first case gives us a sufficient condition to stop the computation of the 
approximations on an infinite game tree: as soon as the intersection is non empty, 
we know we have the value of the game, without needing to fully compute the 
set of approximations. 

We will use these properties in our analysis of the Alpha-Beta algorithm on 
infinite games. 



3 Correctness of the Alpha-Beta Algorithm 

We turn now to the central result of the paper: the correctness proof of the Alpha- 
Beta algorithm on approximation structures that are distributive lattices. 

Let us first recall the definition of the Alpha-Beta algorithm, extended with 
heuristic functions (see for example [14] for an excellent introduction to Alpha- 
Beta), where the a and [3 parameters provide a lowest and an upper bound on 
the value that we want the algorithm to provide us with. 

Definition 11. Sequential Alpha-Beta algorithm The Alpha-Beta algorithm is 
defined, in pseudo-language, as follows 

function AlphaBeta ( tt : Pos ; a , (3 : D ): D 
begin 

if ttGTPOS then return (/i(7r) ) ; 

if TT € WNTPOS and motes (tt) = {tti, ..., 7r„} then begin 

V := a t hpessiT^)', 

i:= 1; 

while (not v > (3) and (z < n) do begin 

t := t t AlphaBeta{TTi,v, /3) ; 
z := z -I- 1 ; 

end; 

end; 

if TT G BNTPOS and motes(Tr) = {tti, . . . , 7r„} then begin 

V := P I hoptM; 

z := 1; 

while (not v < a) and (z < n) do begin 
V := V I AlphaBeta{TTi, a ,v) ; 
z := z -I- 1 ; 

end; 

end; 

return ( v ) ; 
end; 
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We will prove in the following a key result of relative correctness of Alpha- 
Beta: if the algorithm is called with an a and a f3 parameters, it will never 
return anything outside the interval a, (3, so we can only expect to prove that 
the value it computes is correct up to the interval we gave. But this result is a 
sort of induction loading needed in the proof: the interesting point is the corol- 
lary: when we call it with a = _L and /3 = T, it gives the correct result whenever 
it terminates. 

Let us first establish a simple property of distributive lattices 

Lemma 1 (Insertion). Let {D, <) be a distributive lattice and |= V (the sup^ 
1= A (the inf j on D. Then for all a,/3,x we have that a ( [(3 [ x] = a ( [(3 [ 
(a t a^)] o.nd P ( [a ( x] = P ( [a ( {P ( x)] 

Proof. 

a ( [P [ {a ( x)\ = a ( \{P [ a) ( {P [ a;)] by distributivity 

= a( {P [ x) because {P [ a) < a 

The second equation is proved similarly. 

Definition 12 (Equality modulo aP)). We will write AlphaBeta{TT , a, P) = 
af 3 z, where z G D, as an abbreviation of one of the following equations over D, 
according to the type of the position tt: 

a] [P [ AlphaBeta{TT, a, P)\ = a] [P [ z] ifi^G WPOS 

P i [a ( AlphaBetalir, a, P)] = P [\a( z] ifr^G BPOS 

Theorem 1 (Relative correctness of the AlphaBeta method)). Let {D, < 

) be a distributive lattice and suppose to apply the method AlphaBeta with |= V 
(the supj and J,= A (the infj of D, and with a couple of monotone heuristics 
hpess and hopt, respectively pessimistic and optimistic and such that hpessi'!^) < 
hopt(j^) for all position tt G NTPOS. Then, for all position tt G POS, and 
for all a,P G D, if the function AlphaBeta{TT , a, P) terminates, then there exist 
x G SetO fV alpessiT^) and y G S etO fV alopti'!^) such that: 

( AlphaBeta{TT , a, P) =ap x 
( AlphaBeta{n, a, P) =ap y 

Proof. This is a long induction on the structure of the finite part of the tree 

visited by the algorithm whenever it terminates. Full details are given in the 

appendix. 

Corollary 2 (Correctness of the AlphaBeta method)). Ln the hypothesis of 
the theorem 1, suppose also that D contains a minimal element T and a maximal 
element T. Then, if the method AlphaBeta{n,a, P) terminates returning the 
value V then 



v = V alh^^^, (tt) = V alh,^,^ (tt) = Valn 
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4 An Application to Logic Programming 

We believe that, while the core result of the paper is really the proof of correct- 
ness we provided, it would not be satisfactory to conclude it without providing a 
significant example of application outside the scope of traditional game-playing 
like chess. So we turn now to our favorite example, that was also the starting 
point of [5] : the world of logic programming. In what follows, we radically im- 
prove w.r.t. [5] by actually treating constraint logic programming (that includes 
traditional logic programming via the special case of Herbrand constraints). 

We suppose that the constraints C come equipped with an intersection operator 
A (for Herbrand terms, this is the usual most general unifier for substitutions), 
and a disjunction operator V. We also suppose that the relation of logical im- 
plication of constraints => is a partial order on C, and we assume the empty 
constraint true, and the never satisfied constraint false. 

We now give the syntax and semantics of the game of a constraint logic program, 
but we need to assume, due to lack of space, familiarity with constraint logic 
programming (CLP) (see [8] for an introduction). 

4.1 Syntax of the Game 

Definition 13 (Positions). The set of positions tt € POS is defined as follows 

WPOS ^ 7T ::= (4,c) 

EPOS 9 TT ::= [G, c] 

where G is a positive ( conjunctive ) goal, A is a positive atom and c is a ( con- 
junctive) constraint in C. 

We follow the traditional notation in game theory that uses circles (here, paren- 
theses) for player positions, and squares (here square parentheses) for opponent 
positions. 

Definition 14 (Initial Positions). The game starts from an opponent position 
having an empty constraint: 



IPOS 9 7T ::= [G, true] 

We now define the transition relation by giving explicitly the moves function. 



Definition 15 (Rules of a CLP game, -^ccv)- The possible moves, that 
define the transition relation ^ccv for the CLP game for a given CLP program 
P, are as follows: 

player moves in a player position {A, c), player can choose any (renaming of) 
a rule A ^ d \ A\, A 2 , An of P, s.t. c A c' is satisfiable in the constraint 
algebra ofC, and reach an opponent position [(Hi, H 2 , ..., 4„), c A c'] 
opponent moves in an opponent position [(Hi, H 2 , ..., H„), c], opponent can 
choose any atom Ai and reach a player position (Hi,c). 
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4.2 Semantics of a CLP(C) Game 

The game of a CLP program can easily be infinite, so we need an approximation 
structure and some heuristic functions to obtain an approximation of the game 
value. The values we have to handle are “disjunctions” of constraints, represented 
as sets of constraints, hence subsets of the powerset of C. Such disjunctions 
denotes a solution space in any model of C, and then we say that a set of 
constraint is greater than another when its denotation is bigger (covers) the 
denotation of the other. More formally 

Definition 16 (The partially ordered domain of values). The evaluation 
domain is D = 2'^ , the powerset of the constraints. We equip D with a partial 
order < which is the covering extension [7J of the partial order induced on the 
constraint by the logical implication of constraints: 



di < d 2 ijjyci G di3ei . . .Cn G d 2 t.q. ci =4> \J Ci 

2=l,...,n 

Definition 17 (Evaluation of terminal positions). The evaluation function 
on terminal nodes is defined as 

{h{A,c) = ib 
\ h [0,c] = c 

where <(> is the empty goal. 

Player takes the set theoretic union of values, while opponent takes the in- 
tersection of the denotations of the constraints, more formally 

Definition 18 (Player and opponent choice functions). The functions | 
(2^')" ^ 2^, are defined as |= U and |= A where A is defined as c?i A . . . A 
dn = {ci A . . . A c„ I Cl G di, . . . , c„ G d„}. Both functions are monotone w.r.t. 
the order on D. 

We define now two heuristics as follows 

Definition 19 (Heuristics). For any nonterminal position tt = (A,c) or ir = 
[G,c] 

( hpessip^^ ~ ^ 

\ hoptijr) = {c} 

In this game, if tt ->-ccv ■, then the constraint component d of tt' is either 
the constraint component c of tt, or c A d' for some of the constraint d' . In both 
case, d c, hence hopt(j^) > hoptW). Also, trivially hpessi'!^) < hpessW), so 
both heuristics are monotone, and we have at hand both an optimistic and a 
pessimistic approximation structure for the game of CLP(C). 

This general construction yields an interesting object when the evaluation 
domain 2^ satisfies the condition for applying Alpha-Beta; this depends in gen- 
eral on C, but there are many examples that satisfy the requirement, like the 
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case of ex-equations Eqn (see [10]), for which it is easy to verify that t= U 
and [= most general unifier {for ex — equations) are the sup and inf on the 
domain 2'®'^” and that they satisfy the hypothesis of the Alpha-Beta theorem, 
that can then be used to compute the answers. 

Let us see how Alpha-Beta works on an example 

Example 2. Consider the (classical) logic program 

1. p(f(Y)). 

2. p(X) q(X),r(X). 

3 . q(f (a) ) . 

4. q(f (f (a))) . 

5. r(X) . 

Here, if we consider the goalp(A), once we use rule 1, and we get the answer 
3Y.X = f{Y), it is useless to try rule 2, as rule 2 finds answers for q{X) of the 
shape {X = f{a),X = /(/(a))}. Since the most general unifier gives always 
a result which is less than its arguments, we cannot find anything better than 
{X = f{a),X = f{f{a))}. Without even knowing the answer for r(A), we can 
give up the search right there. This is what Alpha-Beta does, by cutting the 
subtree rooted at r{X) and exiting with the answer {BY.X = f{Y)}: 




We provide a second example where the cut takes place at a player node. 
Example 3. Consider the program 

1. p(X,Y,Z) q(X,Y),r(X,Z). 

2 . q(a,b) . 

3 . r (a,Z) . 

4. r(X,Z) :- . . . 

Starting with a goal p{X, Y, Z), we use rule 1, then we evaluate the sub-goal 
q{X,Y), that forces X = a, and we use rule 3 to solve r{X,Z). After that, we 
have a solution where X = a and we force no constraint on Z. That means that 
there is no interest in looking for other solutions to r{X, Z), as A = a is forced 
by q{X,Y). Again, this is what AlphaBeta really does, with a cut condition 
a> (3: 
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5 Conclusions and Future Work 

We have introduced a formal framework to extend the traditional notion of 
value of a combinatorial game in order to deal with games whose value can now 
range on arbitrary partially ordered domains. Also, by means of the notion of 
approximation structure (pessimistic and optimistic), we can now give a precise 
meaning to the value of a potentially infinite game. In this general framework, 
we have generalized the well-known Alpha-Beta algorithm to compute values in 
an arbitrary distributive lattice, and formally proved that this algorithm is par- 
tially correct in general on infinite games, and correct on finite ones. This is, in 
our opinion, a significant achievement, as the algorithm can now be confidently 
applied to many different fields, quite far apart from the traditional fields of 
application of combinatorial game theory. As an example, we have provided an 
instantiation of the game framework for (constraint) logic programming, that 
includes the minimax characterization of the semantics of logic programming 
formally introduced by the authors in [5], and we have shown how the Alpha- 
Beta method can be used to compute (efficiently) the set of answers for a given 
goal. 

Another very promising direction of research is in the field of abstract interpre- 
tation, where the very same algorithm could be used to compute the abstract 
value of a program, by just changing the value domain, thus providing a more 
efficient means of performing static analysis. 

Finally, we believe that this approach can be interesting also for the study of 
logic programming in the presence of negative atoms in the clauses. 
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A Proof of the Relative Correctness Theorem 

Here is the proof of Theorem 1 

Proof. If the method terminates this means that it computes the value visiting 
only a finite part of the game tree (possibly infinite). So we can proceed by 
induction on the structure of this finite part. We give the proof of the case 
7T G WPOS, i.e. the player positions. For opponent positions the proof is similar. 

Base case. The method visits a unique node and returns the value 
V = AlphaBeta{TT, a, j3) G D. There are only two possibilities: 

— The node is terminal: tt G TPOS 

Implies V = /i(7r) so a; = h(7r) G SetOfValpessi'!^) and y = h{Tr) G SetOfValopti'^) 
verify trivially the equality modulo a[3 with v. 
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— The node was immediately cut because v > (3 

Let X = hpessi'!^) G S etO fV alpessi'!^) and y = hopt(jr) G S etO fV alopti'!^) ■ Then 

a T [/? i f] = a T [/? i (a T ^pess(Tr))] because v = a | hpess{T^) 

= [P I /ipess(Tr)] by lemma 1 

= a^[P [x] 

So V =aj 3 X. Moreover, since a | hpessi'!^) > /3 we have also a | [/? i t;] = a | 
p. Using the hypothesis hpess(jr) < hopt(j^), we obtain, by monotonicity of the 
operator |, that also a | hopt{T^) > /? so a | [/? i y] = « t [/? i (« t ^opt(7’"))] = 
a t that means v =aj 3 y- 

Structural induction. In the position tt, we suppose that the algorithm has ana- 
lyzed n moves of the player among the m possibles moves (with m> n) before 
returning the result. We now proceed by a sub-induction on n. 

— Case n = 1 




Implies u = AlphaBeta{n,a, P) = a | hpessi'!^) T AlphaBeta{'Ki,vo, P) (*) where 
uo = a t hpessi'!^)- By inductive hypothesis on structure of tree we have that 
exist xi € SetOfValpess(j^i) and yi G SetO fValopp'^i) such that: 

J AlphaBeta{'Ki,VQ, P) =vop a^i 
\ AlphaBeta{TTi,vo, P) =vop Vi 

Since tti G BPOS is an opponent position, that means: 

/? i N T AlphaBeta{TTi,vo, P)] = P I [vo 'I xi] = P I [uq T Vi] (**) 

We distinguish now between two reasons of termination of the algorithm: the 
case n = TO = 1 (all the moves have been evaluated) and the case n = 1 < to 
( some moves have been cut). 

— Sub-case n = m = 1 

We define the approximations: x =| xi = x\ and y =| yi = yi- By definition 
x G SetOfValpessi'!^) et y G SetOfValoppT^), so: 

a T [/? i u] = a T [/? i (uo T AlphaBeta{TTi,vo, P))\ by {*) 

a T [/3 i (a T pess (tt) T xi)] by{**) 

= T [/? i ihpess(j^) T a;)] by Lemma landx = xi 

= a'l [P [x] because hpess(T^) < x 
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The last fact in proof hpess{T^) < a: is insured because hpess is a monotone 
pessimistic. With the same logical steps we prove a ^ [fi [ v] = a ^ [fi [ y] where 
the necessary condition hpess(jr) < 2/ is insured by prop. 3 using the hypothesis 
hpess (it) < /iopi(7r). 

— Sub-case n = 1 < m 

If the algorithm has cut the m— 1 remaining moves, this means that the condition 
fo T til > P, where v\ = AlphaBeta{TTi,VQ, P), was true. This implies a | [/? i 
v] = a 'I [P [ {vq 'I vi)] = a 'I P . We can define the approximations x = x\ 'I x\ 
where x[ = hpess{T^2) T • ■ • T hpessiiTm) and y = | where = hopt (712) t 

• •• T hopt(j^m)- By definition x G SetO fValpess{'^) and y G SetOfValopt(jr)- 
Then 



a"\ [P [ x\ = a t [/3 i (ct T a;)] by lemma 1 

= a t [/3 i (a T hpessM T a;)] because hpessM < x 
= a T [/? i (fo T a;i t a^i)] by def. of vq andx 
= a t [/? i (fo T a:i)] T [/^ i x\] by distributive law 

= a T [/? i (wo T vi)] HP I H] H (**) 

= ot] P HP i x'l] because Vo Hi ^ P 
= ce 'I P because P I x'l < P 

Using the prop. 3 we can infer hpessH) < y and use it to prove ex HP I v] = 
a H with these same logical steps. 

— Case n > 1 




By definition of the method, if we consider a fake position tt' with only the 
first n — 1 moves of tt, and another fake position tt" having only the nth move, we 
can write V = AlphaBetaH, a, P) = AlphaBeta{n' , a, P) t AlphaBetaH" ,v\, P) 
where v\ = AlphaBetaH , a, P), considering hpessH') = hpessW) = hpessH)- 
Then, by inductive hypothesis on n there exists x' G SetO fV alpessH') and 
y' G SetO fV aloptH') such that 



(#) 



J AlphaBetaH' , a, P) =ap x' 
\AlphaBeta{'K',a,P) =ap y' 



and exist x" G SetO fV alpessH") and y" G SetO fV aloptH") such that 



,nn\ f AlphaBetaH” ,vi, P) x" 

Kifif) yAlphaBetaH" ,v\,P) y" 
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Then 



a T [/? i u] 



T [/3 i (fi T AlphaBeta{Ti" ,v\, j3))\ 
a T [/? i (t'l T (/? i AlphaBeta{TT" (3)))] 
a T [/? i (ui T (/? i a;"))] 
a T [/? i (ui T a;")] 
a T [/? i ui] T [/3 i x”] 

a ] [P i x’] t [/? i x”] 
a ][P [ {x’ i x”)] 



by def. of v and v\ 
by lemma 1 
by{##) 
by lemma 1 
by distributive law 

by (#) 

by distributive law 



We have proved a i [P [ v] = a i [P [ {x' i x")\ (*) and, with the same 
arguments, we can prove a | [/^ i t'] = a | [Pi {v' T v")] (**)• We distinguish 
now between two reasons of termination of the algorithm: the case n = m (all 
the moves have been evaluated) and the case n < m (some moves have been 
cut). 



— Sub-case 1 < n = m 



The moves of tt are exactly the set of moves of tt' together with the moves of 
7 t". Then, defining the approximations: a; = a;' | x” and y = y' i y" we have 
X e SetOfValpess{T^) and y G SetOfYaloptM- Hence conditions (*) and (**) 
give our thesis. 

— Sub-case 1 < n < m 



If the algorithm has cut the m — n remaining moves, this means that condition 
Vo i > P where vq = AlphaBeta{Tr' ,a, P) was true. Then a i [P i v] = 
« T [Pi {vo T a'l)] = a t P (***). We define the approximations: a; = a:' | 
x" t x"' where x'" = hpess{T^n+i) T T hpessiT^m) and y = y' ] y" ] y'" 

where y'" = hoppT^n+i) T T hoptiT^m)- By definition x G SetOfValpessiT^) 
and y G SetOfValopt(j^)- Then 

ai [P ix\= a t [/? i (a^' T a;" T x'")] by def. of x 

= ai [P i{x' i x")] t [/? i x'"] by associative and distributive laws 
= ai [/3 iv]i [P i x'”] by (*) 

= ai P i [P i x"'\ by (* * *) 

= a i P because P J, x'" < P 

With the same logical steps, simply using (**) instead of (*), we obtain 

ai [P iv[ = ai p. 
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Abstract. Many logic programming based approaches can be used to 
describe and solve combinatorial search problems. On the one hand there 
is constraint logic programming which computes a solution as an answer 
substitution to a query containing the variables of the constraint satis- 
faction problem. On the other hand there are systems based on stable 
model semantics, abductive systems, and hrst order logic model gen- 
erators which compute solutions as models of some theory. This paper 
compares these different approaches from the point of view of knowledge 
representation (how declarative are the programs) and from the point of 
view of performance (how good are they at solving typical problems). 



1 Introduction 

Consistency techniques are widely used for solving finite domain constraint sat- 
isfaction problems (CSP) [19]. These techniques have been integrated in logic 
programming, resulting in finite domain constraint logic programming (CLP) 
[20]. In this paradigm, a program typically creates a data structure holding the 
variables of the CSP to be solved, sets up the constraints and uses a labelling 
technique to assign values to the variables. The constraint solver uses consistency 
techniques to prune the search. This leads to a rather procedural programming 
style. Moreover, the problem description is not very declarative because the map- 
ping between domain variables and their value has an indirect representation in 
a term structure. 

In this paper, we compare CLP and three computational paradigms allowing 
problem solving based on more declarative representations. A common feature of 
these approaches is that the relation between the CSP variables and their values 
is encoded as a predicate or function relating identifiers of the CSP variables 
with their value. E.g. in the graph coloring problem, the predicate relates node 
numbers with colors. This representation allows for a more natural declarative 
representation of the problem. 

One approach is specification in first order logic. As pointed out in [12], one 
can represent a CSP as a first order logic theory such that (part of) its models 
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correspond to the solutions of the CSP. Hence first order model generators such 
as SEM [24] can be used to solve such problems. 

The two other approaches use extensions of logic programming. Recently, a 
logic programming paradigm based on stable model semantics [6] has emerged. 
Niemela [14] proposes it as a constraint programming paradigm, Marek and 
Truszczyhski [13] introduce Stable Logic Programming and Lifschitz [11] pro- 
poses Answer Set Programming. As described in [13], the methodology of these 
approaches is to encode a computational problem by a logic program such that 
its stable models represent the solutions. A number of efficient systems for com- 
puting stable models have been developed. Of these, Niemela’s smodels [15, 14] 
is considered one of the most performant systems. 

Abduction [8] uses a similar predicate representation for the relation between 
the identifiers of CSP variables and their value. This predicate is declared to be 
open or abducible. Constraining this relation to be a solution, an abductive 
system will return models of the abducible which are solutions of the CSP. 

We use some typical CSP problems to compare the merits of the various 
approaches. One experiment is in graph coloring. We have compared the rep- 
resentation and the performance of CLP with the three other approaches in a 
sequence of experiments where the size of the graph increases and the number 
of colors remains constant. Another experiment is the n-queens problem where 
both the domain size and the number of constraints increases with increasing 
problem size. We also report on experiments using CLP, stable logic program- 
ming and abduction for solving a complex real world scheduling problem. For 
each different system, we have tried to use any special features provided by it. 

In Section 2 we review in more detail the various approaches and systems, 
focusing mainly on the knowledge representation aspects. Section 3 reports on 
the experiments and we conclude in Section 4. 

We are not aware of any previous work which compares this wide range of 
logic based systems for their suitability in solving CSP problems. Mackworth [12] 
explores the space of possible CSP formalizations but assesses neither the quality 
from point of view of knowledge representation nor the performance of actual 
systems. Also, approaches based on stable model semantics and abduction are 
not included in his work. This paper is an extension and revision of [17] which 
focuses more on the formal relations between the declarative specifications of 
the problems on the different systems. 

One more problem which uses aggregate functions is included in the present 
paper. So is an additional experiment for finding all solutions of the n-queens 
problem. Finally, some comments from the authors of the different systems were 
taken into account. 

2 Formalisms and Systems 

A constraint satisfaction problem (CSP) is usually defined as a finite set of con- 
straint variables X = {Ai, . . . , A„} (the variables of the CSP), a finite domain 
Di of possible values for each variable Xi, and a finite set of constraint relations 
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TZ where each r G 7^ is a constraint between a subset of the set X of variables. A 
solution is an instantiation of the variables of X which satisfies all the constraints 
in TZ. 

2.1 Constraint Logic Programming 

Constraint logic programming (CLP) [7] is an extension of logic programming 
where some of the predicate and function symbols have a fixed interpretation over 
some subdomain (e.g. finite trees or real numbers). Special purpose constraint 
solvers are integrated with a logic programming system for efficient reasoning on 
these symbols. This results in a very expressive language which can efficiently 
solve problems in many domains. 

Van Hentenryck [20] pioneered the work on finite domain constraint logic 
programming, CLP(FD), by introducing domain declarations for the logic vari- 
ables and integrating consistency techniques as part of the SLD proof procedure. 
A CLP(FD) system supports standard arithmetic relations (=,yf,<) and func- 
tions (-1-,—,*) on the natural numbers. A typical formulation of the n-queens 
problem is as follows: 

queens{N, L) ^ 
length{L, N), 
domain{L, 1, N), 
constrain-all{L) , 
labeling{L) . 
constrain-all{\\) . 
constrain-all{[X\X s\) ^ 

constrain J)etween{X , Xs, 1) 
constrain-all{X s) . 
constrain jbetween{X , [], N). 
constrainJ>etween{X, [VjVs], N) ^ 
safe{X,Y,N), 

Ni isN + 1, 

constrain J)etween{X , Ys,Ni). 
safe{Xi,X 2 ,D) ^ 

Xi ^ X2,abs{Xi- X 2 ) yf D. 

Executing the query queens{n, L) first creates a list L with n variables where 
the variable gives the column position of the queen on row i. Then the 
constraints expressed with the safe/3 predicate are added by using two nested 
recursive predicates. Such procedural code for setting up constraints and the 
encoding of the solution in a large data structure results in a rather procedural 
style which is typical for the CLP approach. 

2.2 First Order Logic: Model Generation 

The most elegant solution for the n-queens problem is using many sorted first 
order logic and first order model generation. Systems like FINDER and SEM 
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[24] are examples. One can introduce functions (with the sorts of their domain 
and range) and predicates (with the sorts of their domains and the sort bool as 
range). In addition, functions can be restricted to be injective, bijective, . . . This 
allows to express the n-queens problem very concisely as: 

D = {l..n} 

pos : D ^ D (bijection) 

abs{pos{Xi) - pos{X 2 )) y^X 2 -Xi^ Xi< X 2 . 

The first line declares D as a sort with interpretation consisting of the set of 
integers 1 to n. The following line introduces the function posjl as a bijection 
from D to D. Hence, the range of the function is a permutation of its domain. 
This function represents the column positions of the queens. The only remaining 
constraint is that queens have to be on different diagonals. This is expressed by 
the formula on the third line using the predefined functions abs/1 and — /2. Due 
to symmetry, one need only to verify the constraint for pairs of queens X \ , X 2 
such that Xi < X 2 - 

Solutions are given by the interpretation of the posjl function in the models 
of this theory. In principle, this approach is applicable on any CSP problem by 
representing the CSP variables by logical constants. However, in most cases, CSP 
variables are just an encoding of some attribute of a set of first order objects, 
such as the position of a queen or the color of a node in a graph. In such cases, 
there is no need to introduce the CSP variable. The attribute can be represented 
directly as a function or predicate on these objects (e.g. pos). 

As the domains of all sorts are finite, SEM first computes the grounding 
of the theory and then uses backtracking combined with various inference and 
simplification rules to guide the search for models [24]. 



2.3 Stable Logic Programming 

In [14], Niemela proposes logic programming with the stable model semantics [6] 
as a constraint logic programming paradigm. The underlying idea is to represent 
a problem as a set of rules, each rule being the declarative expression of a piece 
of knowledge about the problem domain and such that the stable models of the 
whole program are constrained to be solutions of the problem. 

The SMODELS system [15] is an efficient implementation of the stable model 
semantics. It works with propositional rules and a special pre-processing program 
is used for grounding strongly range restricted logic programs. The implementa- 
tion combines bottom-up inference with backtracking search and employs pow- 
erful pruning methods. A recent extension of the system [16] introduces choice 
rules: 



I {^1? ■ ■ ■ Ijij u < 13. 
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where h,l 2 , ■■ - In are literals. The semantics of such a rule is that if the body B 
is true then at least I and at most u literals among li should be true in a stable 
model of the program. 

Following [14] and [16], the program for the n-queens problems can be for- 
mulated as: 

(i(l..n). 

1 {pos{X,Y) : d{Y)} 1 ^ d{X). 

1 {pos\x,Y) : d(A:)} 1 ^ d{Y). 



^d{X^),d{Y^),d{X2),d{Y2),pos{X^,Y^),pos{X2,Y2), 

Xi < X 2 , X 2 -Xi = abs{Yi - Y 2 ). 

Solutions are given by the pos{i,j) atoms in the stable models of the program. 
The first line defines that d/1 is a domain with elements l..n with n the size of 
the board. The first choice rule is used to define the solution space of the problem 
by stating that for each X in the domain d{X), there exists exactly one Y such 
that pos{X,Y) is true. The colon notation denotes an expansion of pos{X,Y) 
for every value of Y . Similarly, the second choice rule expresses that there is 
exactly one queen on each column. The last rule defines the final constraint of 
the problem: no two queens on the same diagonal. Again, the “<” constraints in 
these rules eliminate instances which are redundant due to symmetry. The main 
difference with the first order logic specification is that the mapping between 
queens and their position is now represented by a predicate. Declaring that this 
predicate represents a bijective function is succinctly expressed by the two choice 
rules. 



2.4 Abduction 

Abductive logic programming [8] extends the logic programming paradigm with 
abductive reasoning. An abductive logic program has three components: (1) a 
logic program P, (2) a set of predicates A called abducibles or open predicates, 
and (3) a set of integrity constraints I. The abducibles are predicates not defined 
in the program. The task of an abductive system is to find a set A of ground 
abducible atoms such that the integrity constraints are true in the logic program 
consisting of P U Z\; formally: P A\= I . 

Kakas and Michael proposed an integration of CLP and an abductive logic 
programming system [9]. Originally, it was defined only for definite programs 
and integrity constraints and in [10] it was extended to deal with negation as 
failure through abduction in a similar way as in [5]. One restriction of ACLP 
is that integrity constraints need to be of the form <— a{X),B, where a is an 
abducible. As we will see, this forces sometimes to reformulate some constraints 
by an additional recursion. Such restrictions are not present in SLDNFAC [3], a 
more recent integration of an abductive system with CLP that is based on the 
more general abductive procedure SLDNFA [2] . 
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The SLDNFAC system uses ID-Logic [ 1 ] as specification language which is 
transformed into an abductive logic program by using a Lloyd-Topor transfor- 
mation. The specification of the n-queens problem is: 

d{l..n). 

operi-f unction{pos{d, d)). 

Yi^Y2hX2- Xi^Y2-YiAX2- Xi^Yi- Y^ 

< 1 = pos{Xx,Yi) A pos{X2, Y2) A Xi < X2- 

The first line of the program defines d /1 as a domain predicate with the integers 
l..n as elements (defining rows and columns). The next line states that the 
predicate pos /2 represents an open function in the defined domain. It is used to 
represent the column position of a queen in a row. Finally there is a constraint 
saying that two queens can not be on the same column and diagonal. This 
representation is almost identical to the FOL specification of section 2 . 2 . The 
main difference is that the open function is represented by a predicate. 

As mentioned, ACLP does not allow function declarations. Consequently, the 
fact that pos predicate represents a function must be expressed by explicit con- 
straints. A standard way to axiomatize that the abductive predicate pos{X, Y) 
should be true for each X in the domain d{X) is by using the following rule and 
integrity constraints: 

has-pos(X) ^ d{Y),pos{X, Y). 

^ d{X),not has4>os{X). 

Unfortunately, the integrity constraint does not satisfy the ACLP’s restriction 
that at least one positive abductive atom should occur in it. Hence, these axioms 
have to be reformulated using a recursive program which generates a position 
for each queen. The specification for the ACLP system is: 

A = {pos/ 2 } 

problem(N) ^ nqueens{N,N). 

nqueens{ 0 , N). 

nqueens{X,N) ^ A > 0 , Y in 1 ..N, pos{X,Y), 

Xnext is X - 1 , nqueens{Xnext,N). 



attack{Xi,Yi,X2, Y2) ^ Ui = Y2. 
attack{Xi,Yi,X2, Y2) ^Yi+Xi = Y2 + X2. 
attack{Xi,Yi,X2, Y2) ^ Pi - Ai = ^2 - A2. 



^pos{Xi,Yi), pos{X2,Y2), Xi<X2, attack{Xi,Yi,X2,Y2). 

The n-queens problem is solved by solutions of the abductive query ^ problem{n) . 
The ACLP representation is in the middle of the declarative FOL representation 
and the more procedural CLP representation. 




Approaches for Representing and Solving Constraint Satisfaction Problems 231 



3 Experiments 

3.1 The Systems 

The finite domain CLP package is the one provided with ECUPS^ version 4.2. 

Both abductive systems, ACLP [10] and SLDNFAC, [3] are meta interpreters 
written in Prolog, running on ECL^PS^ version 4.2 and making use of its fi- 
nite domain library. For all these systems, a search strategy which first selects 
variables with the smallest domain which participate in the largest number of 
constraints was used. 

The model generator SEM version 1.7 is a fine tuned package written in C. 
SMODELS version 2.25, the system for computing stable models, is implemented in 
C-|— I- and the associated program used for grounding is lparse version 0.99.54. 
All experiments have been done on the same hardware, namely Pentium II. 

3.2 Graph Coloring 



Graph Coloring 




Fig. 1. Graph coloring 



Our first experiment is done with 4-colorable graphs. We used a graph gen- 
erator^ program which is available from address http : //web . cs .ualberta. ca/ 

^ The graphs have been generated with the following parameters: 0, 13, 6, n, 4, 0.2, 1, 
0 where n is the nnmber of vertices. Graph-coloring problems generated with these 
parameters are difficult. 
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~joe/Coloring/Generators/generate.html. We applied the systems in a se- 
quence of experiments with graphs of increasing size and constant number of 
colors. We have modified only one parameter of the problem namely the number 
of vertices. Figure 1 gives the results of solving the problem with the different 
systems. Both axes are plotted in a logarithmic scale. On the x-axis we have put 
the number of vertices. Not surprisingly, CLP is the fastest system. The times 
for SMODELS is second best on this problem. We assume it is in part because of 
the very concise formulation. Using the so called technique of rules with excep- 
tions [14], the two rules needed to describe the space of candidate solutions also 
encode the constraint that the color is a function of the vertex. Hence there is 
only one other rule, namely the constraint that two adjacent vertices must have 
a different color. The difference with CLP is almost two orders of magnitude 
for the largest problems. The times reported for SMODELS do not include the 
time for grounding the problem, these times only consist of a small part of the 
total time. Grounding the problem for 650 nodes takes only 10 seconds, whereas 
solving the problem takes over 100 seconds. SLDNFAC is slightly worse than 
SMODELS. Although meta-interpretation overhead tends to increase with prob- 
lems size, the difference with SMODELS grows very slowly. The model generator 
SEM deteriorates much faster and runs out of memory for the larger problems. 
The fact that it grounds the whole theory is a likely explanation. The differ- 
ence with SMODELS supports the claim that SMODELS has better techniques for 
grounding. ACLP performs substantially worse than SLDNFAC and also dete- 
riorates faster. The difference is likely due to the function-specification available 
in SLDNFAC. Contrary to ACLP, SLDNFAC exploits the knowledge that the 
abducible encodes a function to reduce the number of explicitly stored integrity 
constraints. 



3.3 N-Queens 

Figure 2 gives the running times for the different systems for finding a first 
solution. Both axes are plotted on a linear scale. The time consumed while 
grounding is again not included in the graph (for 18 queens, half a second). 
Again, CLP gives the best results. SLDNFAC is second best and, although meta- 
interpretation overhead increases with problem size, deteriorates very slowly. 
ACLP is third^, with a small difference, probably due to the lack of the function- 
specification mentioned in the section above. The next one is SEM. It runs out 
of memory for large problems (it needs about 120MB for 27 queens). SMODELS 
performs very poorly on this problem, in particular when compared with its 
performance on the graph coloring problem. It is well-known that to obtain good 
results for computing the first solution for the n-queens problem, a good search 
heuristic is needed, like the first fail principle used by the systems based on CLP. 
We believe that the bad performance of SMODELS is explained by the absence of 

^ The results with ACLP are substantially better than those in the previous paper [17]. 
This is due to the removal of a redundant and time consuming complete consistency 
check after the processing of each new CLP constraint. 
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Fig. 3. N-queens: all solutions 
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appropriate heuristics. This is confirmed by the much better performance of the 
system in computing all solutions. 

Figure 3 gives the running times for finding all solutions. The y-axis is plot- 
ted on a logarithmic scale. The CLP, ACLP and SLDNFAC systems are based 
on the same finite domain constraint solver, so their convergence is not unex- 
pected. Indeed, the abductive system generates a constraint problem which is 
equivalent to the problem generated by the CLP program and no backtracking 
occurs in the abductive system. Hence, its overhead becomes ignorable. Also 
the SEM system converges to the same performance as CLP (but runs out of 
memory for big problems). In this experiment, the SMODELS system performs 
much better but is still the slowest system. A likely reason for this is that the 
number of propositional variables in the n-queens problem grows quadratically 
with the problem size, in contrast with the graph coloring problem where the 
number of variables grows only linearly (because of a constant number of colors) . 
Consequently, the grounding grows faster for this problem. The CLP consistency 
techniques seem to be much less sensitive to the domain size, and this carries 
over to the abductive systems which reduce the problem to a CLP problem and 
then use the CLP solver to search for the solution. 



3.4 A Real World Problem 

A Belgian electricity company has a number of power plants divided in geo- 
graphic areas. Each power plant has a number of power generating units, each of 
which must receive a given number (usually 1 or 2) of preventive maintenances 
with a fixed duration in the course of one year. The computational problem is to 
schedule these maintenances according to some constraints and optimality crite- 
ria. Some of the constraints are: some time slots are prohibited for maintenance 
for some units; for each power plant, there is an upper limit on the total number 
of units in maintenance per week for reasons of availability of personnel; some 
of the maintenances are fixed in advance, . . . The objective of the problem is to 
find a schedule that maximizes the minimal weekly reserve, which is the sum 
of the capacity of all units not in maintenance minus the expected weekly peak 
load. 

This is a rather difficult problem in several aspects. Firstly, the specification 
uses aggregate expressions like cardinality and sum (e.g. for each area, there is 
an upper limit to the total capacity for units in maintenance per week). Only 
CLP, SMODELS and SLDNFAC support some form of aggregates and only these 
systems were used in our experiment. Also, the search space is very large, as 
there are 56 maintenances to be scheduled in 52 weeks which makes about 56®^ 
combinations^. The company provided a set of constraints for which the optimal 
solution was known to have a minimal week reserve of 2100 (100%). The three 
systems found correct schedules but none was able to find this optimal solution. 

® The maintenances with duration of more than one week cannot be scheduled in week 
52, hence this number is only an upper approximation. 
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This application was first considered in a context of a master’s thesis [18] and 
then reported in [4] , where a first attempt was done for integrating the SLDNFA 
proof procedure with the CLP system ROPE [23, 22]. This early system needed 
24 hours to reduce the problem to a constraint store. Later on, in [22] several 
different direct encodings in CLP of the problem were presented and compared. 
Recently, [21] discussed an extension of the SLDNFAC system with aggregate 
functions and this problem was used as a benchmark. 

The first version of the SMODELS system did not support aggregate expres- 
sions. A more recent version of the system added a limited support for rules 
with a body consisting of a single cardinality or sum constraint [16] and allowed 
us to specify the problem. However, these aggregate constraints cannot be used 
for computing the sum or the cardinality of a set of atoms and we were not 
able to express the optimization function. By setting increasing lower bounds on 
the reserve capacity, branch and bound can be simulated manually. It should be 
noted that, because of the very large size of the problem, the specification of the 
problem in the SMODELS system had to be redesigned with special care in order 
to produce a ground program not exceeding the limits of the system. 

Table 1 summarizes the results of executing the problem with the different 
systems. The first row “Setup” gives the time used for pre-processing the problem 
specification. For the abductive systems, this is the time for reducing the high- 
level specification to a set of constraints. For the SMODELS system this is the 
time for grounding the program. The rest of the rows give the times used by the 
constraint solver to find a solution with the given quality. The results for CLP 
are taken from [22] for a standard encoding of the problem^ and the program 
was run under SICStus Prolog. 



Reserve 


CLP 


SLDNFAC 


SMODELS 


Setup 




45 


36.4 


1900 




63.2 


8.07 


2000 


7.71 


62.9 


>8h 


2010 


25.85 


63.8 




2020 


43.73 


62.9 




2030 


57.28 


63.0 




2040 


71.63 


261.1 




2050 


26843.50 


871.3 





Table 1. Power plant scheduling 



In the case of SLDNFAC, it can be seen in Table 1 that substantial progress 
was made. Rather than the 24h needed in the earlier version [4], the current 
SLDNFAC procedure only needs 45 seconds for reducing the problem and about 
15 minutes for finding a solution of level 2050 (97.6%). A solution with reserve 

^ Without using global constraints, like cumulative. 
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capacity of 2030 (96.5%) was found in less than two minutes. Note that the 
timings for a solution with a reserve capacity of 1900 up to 2030 are similar. 
This is explained by the fact that in the five cases the same solution with reserve 
capacity of 2030 was computed. The small differences in timings are due to 
noise in the measurements. Strange enough, CLP deteriorates when it reaches 
a solution for a reserve capacity of 2050 whereas the SLDNFAC solution does 
not. This must be due to the fact that the constraint store built by the CLP 
solution differs from the one built by the SLDNFAC solution. This is accidental: 
in general, constraint stores constructed by a hand made CLP program are more 
efficient than the ones computed by SLDNFAC. The SMODELS system needed 
40 seconds for grounding and the best solution we were able to find was 1900 
(90.5%) in 8 seconds. We did not find better solutions in reasonable time. 



4 Conclusion 

Finite domain CLP is widely accepted as an excellent tool for CSP solving. 
However CLP programs have drawbacks from the point of view of knowledge 
representation. As explained in Section 2.1, the variables of the CSP have to be 
organized in a data structure and “procedural” code is required to create this 
data structure and to set up the constraints. This level of indirection increases 
the conceptual distance between the program and the problem and makes pro- 
grams less declarative. Recently, several attempts have been made to introduce 
formalisms allowing more declarative formalizations. They are based on stable 
model semantics [11, 13, 14] and on abduction [9, 10, 3]. Although these systems 
have an expressivity beyond what is needed to describe a CSP (they address 
non-monotonic reasoning while CSP solving requires only negation of primitive 
constraints), it is worthwhile to compare these systems with CLP which is state 
of the art for CSP solving. Because both stable models and abduction express 
solutions to problems as models of their theory, we have also included first or- 
der model generators in our study [24]. As argued in Section 2, these three 
approaches are better than CLP from knowledge representation point of view, 
the formalizations are more natural, more readable, conceptually closer to the 
problem, in short they are more declarative than CLP programs. Which one of 
the three discussed mechanisms is the most declarative is likely a matter of taste 
and familiarity. 

Inevitably there is a price to be paid for these higher level descriptions. None 
of the “declarative” systems experimented with comes close to the performance 
level of CLP. This result holds although the CLP system is not favored by 
the problem choice. Indeed, in both graph coloring and n-queens problem, all 
constraints are disequality constraints which are known to give little propagation. 

Our experiments show that first order model generators do not scale well 
and run out of memory for large problem instances even though the size of the 
ground program is smaller compared to SMODELS. We think that this is not 
an inherent limitation of the approach but rather that such systems were writ- 
ten with the goal of fast performance and this is visible in our experiemnts. In 
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contrast, SMODELS runs in linear space wrt the size of the grounding [15] and 
was able to solve all problem sizes. Of the two abductive systems, SLDNFAC 
supports a substantially richer formalism and is performing slightly better than 
ACLP. As the two systems follow more or less the same strategy of top-down 
reduction of integrity constraints and of forwarding the reduced ones to the CLP 
solver and as both are implemented as a Prolog meta-interpreter, the difference 
seems to be mainly due to the support of function specifications. The fact that 
the SLDNFAC meta-interpreter outperforms SEM (a fine tuned C implementa- 
tion) on both problems and compares very well with the C-|— I- implementation of 
SMODELS (it is much better on the n-queens problem while it reaches almost the 
same performance on the graph coloring problem) suggest that its overall strat- 
egy is the best one of the three systems for CSP solving. Also the experiments 
with the large scheduling problem suggest this: the setup time is acceptable and 
differences in search time seem to be due to differences in the order of traversing 
the search space. While the difference with CLP is substantial, a low level imple- 
mentation or compilation should be able to come close to the performance levels 
of CLP, offering the best of both worlds: declarative problem formulations and 
efficient execution. However, SLDNFA, the procedure underlying SLDNFAC, is 
complex, hence building a direct implementation is a hard task. We believe the 
development of such a system is a worthwhile topic for future research. 
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Abstract. It is shown that the quantified propositional Godel logic 
based on the truth-value set U| = {1 — 1/n : n > 1} U {1}, is decidable. 
This result is obtained by reduction to Biichi’s theory SIS. An alternative 
proof based on elimination of quantifiers is also given, which yields both 
an axiomatization and a characterization of G'j!*’ as the intersection of 
all finite-valued quantified propositional Godel logics. 



1 Introduction 

In 1932, Godel [10] introduced a family of finite-valued propositional logics to 
show that intuitionistic logic does not have a characteristic finite matrix. Dum- 
mett [7] later generalized these to an infinite set of truth- values, and showed that 
the set of its tautologies LC is axiomatized by intuitionistic logic extended by 
the linearity axiom {A Z) B)W {B Z) A) . Godel-Dummett logic naturally turns up 
in a number of different areas of logic and computer science. For instance, Dunn 
and Meyer [8] pointed out its relation to relevance logic; Visser [15] employed 
it in investigations of the provability logic of Heyting arithmetic; Pearce used it 
to analyze inference in extended logic programming [13]; and eventually it was 
recognized as one of the most important formalizations of fuzzy logic [11]. 

The propositional Godel logics are well understood: Any infinite set of truth- 
values characterizes the same set of tautologies. LC is also characterized as the 
intersection of the sets of tautologies of all finite- valued Godel logics Gk [7], 
and as the logic determined either by linearly ordered Kripke frames or linearly 
ordered Heyting algebras [12]. 

When Godel logic is extended beyond pure propositional logic, however, the 
situation is more complex. For the cases of propositional entailment and exten- 
sion to first-order validity, infinite truth-value sets with different order types 
determine different logics with different properties. There are infinitely many 
sets of truth values which give rise to distinct logics. As an example, consider 
the truth-value sets 
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= [ 0 , 1 ] 

LI ={0}U{l/n:n> 1} 

Ft = {1}U {1 - 1/n : n > 1} 

Vfc = {l}U{l-l/n:n=l,...,A:-l} 

Propositional entailment with respect to Poo is compact, but not with respect 
to Vi or P| . If a formula A is entailed by a set F with respect to Vk for every 
k, then it is also entailed with respect to Pf, but not necessarily with respect to 
Poo or Pj [5]. Similarly, the first-order logic based on P^, is axiomatizable (this 
is Takeuti and Titani’s intuitionistic fuzzy logic [14]), while those based on Vf 
and Vi are not [2] . The first-order Godel logic based on P| is the intersection of 
all finite- valued first-order Godel logics. 

Another interesting generalization of propositional logic is obtained by adding 
quantifiers over propositional variables. In classical logic, propositional quantifi- 
cation does not increase expressive power per se. It does, however, allow express- 
ing complicated properties more naturally and succinctly, e.g., satisfiability and 
validity of formulas are easily expressible within the logic once such quantifiers 
are available. This fact can be used to provide efficient proof search methods for 
several non-monotonic reasoning formalisms [9] . 

For Godel logic the increase in expressive power is witnessed by the fact that 
statements about the topological structure of the set of truth-values (taken as 
infinite subsets of the real interval [0,1]) can be expressed using propositional 
quantifiers [4]. In [4] it is also shown that there is an uncountable number of 
different quantified propositional infinite- valued Godel logics. The same paper 
investigates the quantified propositional Godel logic G‘^ based on the set of 
truth- values [0, 1], which was shown to be decidable. It is of some interest to 
characterize the intersection of all finite-valued quantified propositional Godel 
logics. As was pointed out in [4], G[];P does not provide such a characterization. 

In this paper we study the quantified propositional Godel logic based 
on the truth- value set Vf. We show that is decidable. In general, it is not 
obvious that a quantified propositional logic is decidable or even axiomatizable. 
For instance, neither the closely related quantified propositional intuitionistic 
logic, nor the set of valid first-order formulas on the truth-value set V-\ are r.e. 
Although our result can be obtained by reduction to Biichi’s monadic second 
order theory of one successor SIS [6], we also give a more informative proof based 
on elimination of propositional quantifiers. This proof allows us to characterize 
G^P as the intersection of all finite- valued quantified propositional Godel logics, 
and moreover yields an axiomatization of G^p. 

A remark is in order about the relationship between the approach taken here 
using truth-value semantics and Kripke semantics. As was pointed out above, 
LG is often defined as the propositional logic of linearly ordered Kripke frames. 
In Kripke semantics, quantified propositional LG would then result by adding 
quantifiers over propositions (subsets of the set of worlds closed under accessi- 
bility). Here different classes of linear Kripke structures which all define LG in 
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the pure propositional case in general do not define the same quantified propo- 
sitional logic. In particular, the logic obtained by just taking Kripke models of 
order type oj is not the same as that defined by the class of all finite linear orders. 
It follows from the results of this paper that the logic of all finite linear Kripke 
structures coincides with 



2 Godel Logics 



Syntax. We work in the language of propositional logic containing a countably 
infinite set Var = {p, <?,...} of (propositional) variables, the constants _L, T, as 
well as the connectives A,V, and D. Propositional variables and constants are 
considered atomic formulas. Uppercase letters will serve as meta-variables for 
formulas. If A{p) is a formula containing the variable p free, then A{X) denotes 
the formula with all occurrences of the variable p replaced by the formula X. 
V ar{A) is the set of variables occurring in the formula A. We use the abbrevia- 
tions ~^A for A D -L and A ^ B for {A D B) A {B D A). 



Semantics. The most important form of Godel logic is defined over the real unit 
interval Uoo = [0, 1]; in a more general framework, the truth-values are taken 
from a set V such that {0, 1} C V C [0, 1]. In the case of fc- valued Godel logic 
Gfc, we take Vk = {1 — 1/z : i = 1, . . . , /c — 1} U {!}. The logic we will be most 
interested in is based on the set V) = {1 — 1/z : z > 1} U {!}. 

A valuation v : Var ^ U is an assignment of values in V to the propositional 
variables. It can be extended to formulas using the following truth functions 
introduced by Godel [10]: 

r;(T) = 0 v{A\/ B) =max{v{A),v{B)) 

u(T) = 1 ^ ^ ^ ^ ^ f 1 if z;(A) < v{B) 

v{A A B) = mm{v{A),v{B)) otherwise 

A formula A is a tautology over a truth-value set V C [0, 1] if for all valuations 
v: Var V, v{A) = 1. The propositional logics LC, G| and Gfc are the sets 
of tautologies over the corresponding truth value sets, e.g., LC = Goo = {A : 
A a tautology over Uoo}- We also write G ^ A for A G G (G G {LC, G|, Gfc}). 

It is easily seen that LC A G| A Gfc. Dummett [7] showed that LC = G| 
and that LC = rifc >2 Gfc. 

The abbreviation A A B ior {A Z) B) A {{B Z) A) D A) will be used exten- 
sively below. It expresses strict linear order in the sense that 

v{AaB) = [^ if < v{B) or v{B) = 1 

I min(z;(A), u(i?)) otherwise 



Propositional Quantification. In classical propositional logic we define (3p)A(p) 
by A(T) V A(T) and {fip)A{p) by A(T) A A(T). In other words, propositional 
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quantification is semantically defined by the supremum and infimum, respec- 
tively, of truth functions (with respect to the usual ordering “0 < 1” over the 
classical truth- values {0, 1}). This can be extended to Godel logic by using fuzzy 
quantifiers. Syntactically, this means that we allow formulas {ftp) A and {'^p)A in 
the language. Free and bound occurrences of variables are defined in the usual 
way. Given a valuation v and w G V, define v[w/p] by v[w/p]{p) = w and 
v[w/p]{q) = v{q) for q ^ p. The semantics of fuzzy quantifiers is then defined as 
follows: 



u((3p)^) = sup{u[w/p](A) : w gV} v{{yp)A) = vai{v[w / p]{A) : w gV} 



When we consider quantifiers, V has to be closed under infima and suprema, 
since otherwise truth values for quantified formulas are not defined. 

We also add the additional unary connective O to the language. The truth 
function for O is given by u(O^) = u((Vp)((p D 4l) V pf). In this makes 



u(Oyl) 



1 if u(2l) = 1 

1-;^ ifu(^) = l-i 



We abbreviate O . . . OA {n occurrences of O) by 0”A. 

Using the above definitions, it is straightforward to extend the notion of 
tautologyhood to the new language. We write G'j*'’ (G((p, G^”^) for the set of 
tautologies in the extended language over (Uoo, Vk). 

We will show below that every quantified propositional formula is equivalent 
in G‘1*’^ to a quantifier- free formula, which in general can contain 0.0^ itself (or 
the equivalent formula (Vp)((p D A) V p)), however, is not in general equivalent 
to a quantifier-free formula not containing O. Inspection of the truth tables 
shows that a quantifier-free formula containing only the variable q takes one of 
0, v{q), or 1 as its value under a given valuation v, and thus no such formula 
can define Oq. 



3 Hilbert-Style Calculi 

All the calculi we consider are based on the following set of axioms: 



11 


Ad{BdA) 


17 


{A A ^A) D B 


12 


{AaB)dA 


18 


{A D ^A) D ^A 


13 


{AaB)d B 


19 


±dA 


14 


Ad {B D {Aab)) 


110 


AdT 


15 


Ad {Ay B) 


111 


{Ad{bd G)) d {{A db)d{Ad C)) 


16 


Bd {Ay B) 


112 


{{A dC)A{Bd C)) d {{A y B)dC) 



These axioms, together with the rule of modus ponens, define the system I PC 
that is sound and complete for intuitionistic propositional logic. The system LC 
is obtained by adding to I PC the linearity axiom 



LG {Ad B)V {B G) A). 
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It is well known [7] that I PC and LC are sound for all propositional Godel logics, 
and that LC is complete for all infinite-valued propositional Gddel logics. We 
will make frequent use of this fact below, and omit derivations of formulas which 
are (instances of) quantifier- and O-free tautologies in G| . These omissions are 
indicated by pointing out that the formula follows already in LC or IPC. In 
particular, familiar inference patterns such as the chain rule or case distinction 
are derivable in LC and its extensions. 

When we turn to quantified propositional logics, a natural system IPC**”^ to 
start with is obtained by adding to IPC the following two axioms: 

d3 A{C) d (3p)A(p) dV (Vp)A(p) D A{C) 

and the rules: 

A{p)pB(p) B(p)pA{p) 

(3p)A{p) D B^p'i B^p') D (Vp)A(p) 

where for any formula C, the notation C^p'^ indicates that p does not occur free 
in C, i.e., p is a (propositional) eigenvariahle. 

Let be the system obtained by adding to IPC^^ the axioms (LG), 

VV (Vp)[A V B{p))] D [A V (Vp)S(p)] 

where p ^ A, and the following: 

G1 0{A D B)^ {OA D OB) G4 {A D OB) D {{A D C) V (C D B)) 

G2 A^OA G5 U ^ -L) V (3p)(A ^ Op) 

G3 {OAd OB) D {{Ad B)\/ OB) G6 {A^ B)d {OAd B) 

Proposition 1. The system is sound for and 

Proof. It is easily seen that the rules of inference preserve validity. For instance, 
if B D A{p) is valid, then, for any valuation v, v[w/p]{B) < v[w / p]{A{p)) where 
w . If p does not occur in B, then v{B) = v[w/p]{B) and we have v{B) < 
m.i{v[w / p]{A{p)) : w G V}. That LG is sound for arbitrary Godel logics was 
shown in [7]. The tedious but straightforward verification that the remaining 
axioms (VV) and (G1)-(G6) are valid is left to the reader. 

Remark 2. In [4] it was shown that a system sound and complete for G)(p, the 
quantified propositional Godel logic based on the truth- value set [0,1], is ob- 
tained by extending IPG'^^ with (LG), (VV) and the axiom 

(Vp)[(A(P) D p) V (p D B^P^)] D (A(p) D B^p^). 

This schema is not valid in G^”^ (it comes out = 0 under any v with v{A) = 1/2 
and v{B) = 0). On the other hand, it is easy to see that u(Oyl) = v{A) in 
Voo, and hence axiom (G2) is not valid in G)®. Thus neither of G)® and G'j**’ 
is included in the other. This is in contrast to the situation in propositional 
entailment and first-order logic, where Voo defines the smallest Godel logic and 
is included in all others. 
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4 Decidability 

In this section we prove that is decidable. This is done by defining a re- 
duction of tautologyhood in to SIS, the monadic theory of one successor, 
which was shown to be decidable by Biichi [6]. 

SIS is the set of second-order formulas in the language with second-order 
quantification restricted to monadic set variables X, Y, ... with one unary 
function ' (successor) which are true in the model (w,' ). For the purposes of this 
section we consider 04 to be an abbreviation of (Vp)((p D A) V p). 

Suppose 4 is a quantified propositional formula, and B is a formula in the 
language of SIS with only x free. Let TV{B{x)) abbreviate (Vz')(B(z') D B(z)). 
We define 4^ by: 

p- = X,(x) 

±^ = Xx(x) 

= (Vz)(z = z) 

(B A Cf = B^ A 
(B V Cf = B^\J 

{B D cf = {yy){By D cy) v {3y){By A -^cy) a 
{\/p)B- = {\/Xp){TV{Xp{x)) D B-) 

{3p)B^ = {3Xp){TV{Xp{x)) A B^) 

Consider the following reduction: 

<Z>(4) = (VXx)((Va;)-4:x(x) D (Va;)4^) 

The idea behind this is to correlate truth-values in Vf with subsets of iv which 
are closed under predecessor, i.e., predicates in 

TV = {P C Lu : a n € P then m G P for all m < n}. 

Under this correlation, 1 corresponds to lu, and 1 — 1/n corresponds to {1, ... , n}. 

Let s be an interpretation of the language of SIS, mapping variables to 
elements or subsets of lo. We denote by s[n/x\ the interpretation which is just 
like s except that it assigns n to x. Then TV{A{x)) obviously expresses the 
condition that the predicate 4(a;)[s] = {n : SIS ^ 4(a;)[s[n/a;]]} defined by 
A(x) in s is closed under predecessor. If a monadic predicate P is closed under 
predecessor, we define its truth value by 

tu(P) =sup{l- - : 1" G P}. 
n 

Conversely, every truth- value v € Vf corresponds to a monadic predicate 



mp{v) 



{k k <n\ 
to 



ifti=l — 1/n 
if u = 1. 



Note that for P,Q G TV, P C Q iff tv{P) < tv{Q), and conversely, for u, w G V/ , 
u < w iff mp{v) C mp{w). 
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Lemma 3. Let v be a valuation and s be the interpretation defined by s{Xp) = 
mp{v{p)) and s(ATx) = 0. Then we have tv{A^[s\) = w(^). 

Proof. By induction on the complexity of A. The claim is obvious for atomic 
formulas, conjunction and disjunction, li A = B L> C we have to distinguish 
two cases. Suppose first that v{B) < v(C). By induction hypothesis, B^[s\ = 
mp{v{B)) C mp{v{C)) = and hence the first disjunct in the definition 

of {B D CY is true. Thus {B D Cfi defines u and tv{{B D C')“[s]) = 1. 
Now suppose that v{B) > v{C). Then tv{B^[s\) A tu(C®[s]), SIS (yy){By D 
cy) [s] and SIS Y (Yy)(By a -^cy) [s], and thus {B D C)^[s] = C^[s]. 

If A = {3p)B, let v[w/p] be the valuation which is just like v except that 
v[w/p](j>) = w, and let s[mp{w) / Xp] be the corresponding interpretation which 
is like s except that it assigns mp{w) to Xp. 

By induction hypothesis, tv{B^[s[mp{w) / Xp]]) = v[w/p]{B). We again have 
two cases. Suppose first that sup{u[w/p](i3) : w G Vj} = 1 — 1/n. For all 
m > n, SIS B^[m/x,mp{w)/ Xp], since v[w/p]{B^) < 1 — 1/m by induction 
hypothesis. On the other hand, SIS |= TV{Pp) D B^ [s[k/x,mp{l — l/n)/Ppf\ 
for all k < n, and so tu((3p)i?“[s]) = 1 — 1/n. Now consider the case where 
sup{u[w/p](i?) : w G Ff} = 1. Here there is no bound n on the the members 
of sets defined by B^[s[mp{w) / Xp]] where w G V] . Hence, mp{{3p) B)^ [s]) = oj 
and tv{{3p)B^[s]) = 1. 

The case A = {yp)B is similar. □ 

Lemma 4. Let s be an interpretation with s(Alx) = 0 and s{Xp) G TV. Let v 
be defined by v{p) = tv{s{Xp)). Then H“[s] G TV, and u(H) = tv{A^[s]). 

Proof. By induction on the complexity of A. The claim is again trivial for atomic 
formulas, conjunctions or disjunctions, li A = B D C, two cases occur. If S'lS' |= 
(yy){By D cy), then By[s] C Cy[s]. By induction hypothesis, v{B) < v(C), 
and hence v(B D C) = 1 = tv((B D C')“[s]). Otherwise, for some n we have 
n G By[s] but n ^ Cy[s]. So {3y){By A ~^Cy) must be true and the predicate 
defined is the same as 0^[s]. 

Now for the case A = (3p)B: If S'lS' Y Y^p)(BV(Xp) D H'^)[s[n/a;]], then 
there is a prefix closed witness P so that SIS Y B^[s[n/x, P/Xp]]. By induction 
hypothesis, B^[s[P/Xp]] G TV, and hence SIS |= TV{Xp) D B^ [s[m/x,P/Xpf\ 
for all m <n, and thus ((3p)H)'''^[s] G TV as well. 

Consider N = ((3p)H)'^[s]. First, suppose that sup IV = k. That means that 
for some P G TV, Y G B^[s[P/XY\], and for no Q G TV and no j > k, 
j G B^\s\Q / Xp]]. By induction hypothesis, v\tv{P) / p]{B) = 1 — 1/k and for all 
u> G Fr. v[w/p]{B) < 1 - l/k. Hence v{{3p)B) = 1 - l/k. 

If sup IV does not exist, for each k there is a witness Qk G TV with k G 
B^[s[Qk/ Xp]]. By induction hypothesis, for each k we have v\tv{Qk) / p]{B) > 
1 — 1/fc, and so v{{3p)B) = 1. 

The case A = {yp)B is similar. □ 



Theorem 5. is decidable. 
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Proof. If there is a valuation v such that v{A) < 1, then by Lemma 3 there is 
an s with s{P±) = 0 and n so that n ^ A“[s], and hence SIS ^(^)- 

Conversely, suppose SIS '^{A). We may assume, without loss of generality, 
that all propositional variables in A are bound. Then there is an interpretation 
s with Xx(x)[s] = 0 so that some n ^ By Lemma 4, A^[s] G TV. Hence, 

if n ^ then k ^ H“[s] for all k > n, and, also by Lemma 4, v{A) = 

tv{A^[s\) < 1. 

Thus a formula H is a tautology in iff SIS ^ ^{A). The claim follows 
by the decidability of S' IS'. □ 



5 Properties and Normal Forms 

In this section we introduce suitable normal forms for formulas of and 

prove some useful properties of QG^^. These results will be crucial in the proof 
of the elimination of quantifiers. 

Proposition 6. 1. QG^”^ h (H D H) D (OH D OB) 

2. QG^P h 0(H A H) ^ (OH A OB) 

3. QG^P h 0(H V H) ^ (OH V OB) 

Proof. (1) From (G2) we have (H D H) D 0(H D B), which, together with the 
left-to-right direction of (Gl) yields the result. 

(2) The left-to-right implication immediately follows from axioms (12) and 
(13) together with Prop. 6(1). For the converse, replace B hy B D (H A H) in 
Prop. 6(1) and use (14) to derive OH D 0(B D (H A B)). Then, using (Gl), one 
has OH D {OB D 0(H A B)). The claim follows by IPG. 

(3) In LG, we have (AV B) ^ (A D B) D B) A (B D A) D H). Replacing 

H by OH and B by OB, we have (OH V OB) ^ (OH D OB) D OB) A (OB D 
OH) D OH). The result follows using (Gl) and IPG. □ 



Proposition 7. 1. If p does not occur boind in C{p), then 

QG® h (Vg)(H ^B)d (C(H) d C{B)) 

where q are the propositional variables occurring free in A and B. 

2. If C{p) is quantifier-free, we also have 

QGf h (H ^ H) D (C{A) D C{B)) 

Proof. By induction on the complexity of C. Cases for A, V, and D are easy. 
If C{p) = OD{p), we use the induction hypothesis and Prop. 6(1). If C'(p) = 
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(3r)D{p,r), we argue: 

(1) (Vg)(A ^ B)Z) {D{A, r) D D{B, r)) by IH 

(2) {{yq){A^B)AD{A,r))DD{B,r)) (1), IPC 

(3) D{B,r) D (3r)D{B,r) d3 

(4) {yq){A^B)AD{A,r))D{3r)D{B,r) (2), (3) 

(5) D{A, r) D ((Vg)(A ^ B) D {3r)D{B, r)) (4), IPC 



(6) {3r){D{A,r) D ((Vg)(A ^ B) D {3r)D{B,r))) (5), R3 

(7) (yq){A ^B)d i{3r)D{A,r) D {3r)D{B,r)) (6), IPC 

The case of C = (yr)D{p,r) is handled similarly. □ 

Definition 8. A formula A of is in O-normal form if it is quantifier-free 
and for all subformulas OB oi A, B £ {_L, T} U Var or B = OB' . 

Proposition 9. Let A he a quantifier-free formula of . Then there exists 
a formula A' of in O-normal form such that h A ^ A'. 

Proof. Follows from axiom (Gl), Prop. 6(2) and (3) using Prop. 7(2). □ 



Proposition 10. For every n > 0, h 0"T ^ T. 

Proof. 0”T D T is already derivable intuitionistically. For T D 0”T, use (G2), 
Prop. 6(1), and induction on n. □ 

For propositional Godel logic, a normal form similar to the disjunctive normal 
form of classical logic has been introduced in [1] (see also [3, 4]). This so-called 
chain normal form is based on the fact that, in a sense, the truth value of a 
formula only depends on the ordering of the variables occurring in the formula 
induced by the valuation under consideration. The chain normal form can then 
be constructed by enumerating all such orderings (using ^ and to encode 
the ordering) in a way similar to how one constructs a disjunctive normal form 
by enumerating all possible truth value assignments. We extend the notion of 
chain normal form and the results of [3] in order to deal with the O connective. 
This is possible, since by Prop. 9 we can always push the O in front of atomic 
subformulas, so we only need to consider orderings of subformulas of the form 
03 B with B atomic. Let T be a finite subset of {O^p, O^T : p g Var,j G w}U{T} 
and T, T G T. 

Definition 11. A O-chain over P is an expression of the form 
{Si *1 S2) A ■ ■ ■ A {Sn-l *n-l Sn) 

such that P = {Si, . . . , Sn}, Si = A, S„ = T, and G {<-^,^}, for all i = 

l,...,n. 
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Every O-chain C uniquely determines a partition ilf , . . . , of F so that 
nf = where ji = 1, jk+i = n + 1, j* < jt+i, = ••• = 

and Conversely, every such partition determines a O- 

chain up to provable equivalences. It is easily seen that if C is such a chain, then 
QG^P h C D (S'i Sj) if Si, Sj e nf for some I, and QG^p h C D (S'i ^ S'iO if 

Si e , Si' e and j < f . Thus C also uniquely corresponds to an ordering 

of r which we denote <c, defined by Si <c Si' iff Si G ilj". Si' G and 
j < j' . This order is total, the TJC are maximal anti-chains, T is minimal, and 
T is maximal. 

Suppose now that A is in O-normal form, and that T contains all the sub- 
formulas of A of the form O^p or O^T, as well as T ; that C is an O-chain on 
F; and that the valuation v agrees with <c, i.e.. Si <c Sj iff v{Si) < v{Sj). 
Using the same idea as in the proof of Lemma 3 in [3], one can find A^ G F, 
the “value” of A under C, so that v{A^) = v{A), and the choice of A^ depends 
only on <c, not on v itself. Specifically, A*^ can be constructed as follows: (1) 
A & F, then A'^ = A. {2) li A = D A E, then A^ = if <c and 
= E^ otherwise. (3) If = D V E, then A^ = if E^ <c D'^ , and = E^ 
otherwise. {A) li A = D A) E, then A^ = E^ if E^ <c , and = T otherwise. 
This “evaluation” of A is provable in the sense that QG^p C D {A ^ A'^). 
This follows easily using the following theorems of LC: 



{D A E) D {D AE ^ D) 
{D ^ E)dId AE ^ D) 
{E A D)d{DW E ^ D) 
{D A E) d{D D E ^T) 
{E ^ D)d IdZ) E ^T) 



{E A D) D {D AE ^ E) 
{D A E)d {D\/ E ^ E) 
{E ^ D)d Id\/ E ^ E) 
{E A D) d {D D E ^ E) 



Definition 12. Let be a quantifier free formula in O-normal form. Fa be the 
set of all subformulas of A of the form T, T U Fa, and C'(T) the set 

of all possible O-chains over F. Then 

y C A A^ 
cec(r) 

is the O-chain normal form for A over F. 

Theorem 13. Let A and F be as above, and A' be the O-chain normal form for 
A over F. Then QG^p \- A A' . 

Proof. (See also Thm. 4 of [3].) First note that \J ceC(r) C is a tautology and 
provable in LC. Since for each C G C{F) we have QG^p h (C A A^) D A, the 
right-to-left implication A! A) A follows by case distinction. 

For the left-to-right implication, consider A Z) {A A \J c£C(r)^)- This is 
provable, since \/ceC(r) ^ provable. By distributivity of A over V, we have 
A D VceC(r)(^ ^)- have (A A C) D (C A A^) for each C G C{F) 

from QG|P A C Z) {A ^ A^). Together we get A D \/ cec{r)(^ ^ A^). □ 
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We now strengthen the O-normal form result so that only O-chains that are 
intuitively “possible” need to be considered. For this, we have to verify that we 
can exclude chains C which result in orders which, e.g., have OS <c S. 

Definition 14. A formula A is in minimal normal form over F if it is of the form 
Vceccc(r) where each C is a O-chain over F, and so that the corresponding 
ordered partition Fl ^ , . . . , Fljf satisfies 

1. for no i < j and S £ F do we have 0”+^5' £ F[f and O^S £ 11^ with s > 0; 

2. for all S' G F, if 0®S G F[f (i < k), then 0”S ^ F[f if r yf s; and 

3. for no j,j' and S G F do we have both 0*S G and 0*+^S G TTj? with 

f > j + 1- 

Theorem 15. Let A be in O -normal form. There exists a formula in min- 
imal normal form such that h A ^ A”b 

Proof. By Thm. 13, h A A' where A' is a O-chain normal form over F. 
Consider a disjunct of A' of the form C A A*^, where ilf , . . . , Iljf is the ordered 
partition of F corresponding to C. If A^ £ 11^ , then QG^^ h (C A A^) ^ C, 
since QG^^ h A^ ^ {A^ ^ T). Otherwise, A^ £ Ilf with i < k. Then the 
sequence F[f , . . . , Ilf corresponds to a conjunction 

C = {A^ *1 Sj) A ... A (S'_i T) 

where for at least one I < j, *j =A, and QG‘|*’^ \- C ^ C" A C , where C" is the 
part of C corresponding to Ilf , . . . , nf_i. Since QG^^ h A'" ^ (A'" T), we 

have 

QG® h (C' A A^) ^ {C A (T ^ A^)) (1) 

As is easily seen, the right-hand side of (1) is provably equivalent to 

C" = (^A^ ^ s[)A...A (S'_i ^ T) 

In sum, QG^P h (C A A*^) ^ (C" A C""), and C A C” is a O-chain. 

By induction on the number of disjuncts in A' one shows that there is A" 
which is a disjunction of O-chains such that QG^p h A ^ A". Now we have to 
prove that there exists a disjunction of O-chains A''^ satisfying 1-3 of Def. 14 so 
that QG^P h A" ^ A"''. 

Suppose that for some disjunct C in A" we have 0”+^S' g Ilf and 0~^S £ Ilf 
where s > 0 and i < j. Then, since QG^p h (0”+®A ^ 0”A) ^ 0”A we have 
QG|P h C C" where C is the O-chain corresponding to Ilf , . . . , Ilf Ilf U 

...unf. 

Consider a disjunct C of A" where for some i < k, both 0~^S £ Ilf and 
O^S £ nf where r < s. Then QG^p h C D (0*5' ^ T). To see this, recall that 
QG|P h O^v A 0*5 if r < s. By definition of A, that means that 

QG^P h ((0*5 D o”5) D o”5) A (0”5 D o*5). 



(2) 
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Since QG® h C D (0*5' ^ O’' 5), we have QG® h C D (0*5 D O’' 5) which 
together with the left conjunct of (2) gives QG^^ LCD 0’'5. Thus, as before, C 
is provably equivalent to the O-chain corresponding to 11^ , . . . , Ilf U . . . U Ilf . 

Lastly, suppose that for a disjunct C of A" we have both 0’5 G Ilf and 
0’+i5 G nf for some j, j' such that j' > j + 1. Then by axiom (G6) to- 
gether with transitivity we get C D (0’+^5 ^ 0’+^5), and since QGf \- {B ^ 
B) ^ B we have QG^^ h C ^ C" where C is the O-chain corresponding to 

nf,...,nf_„nfu...unf...unf. 

By induction on the number of disjuncts in A" we obtain the desired A’^^ . □ 



6 Quantifier Elimination 

In this section we prove quantifier elimination for QG^^. As a corollary of this 
result we show that the system QG^*’ is sound and complete for and that 
the latter is the intersection of all finite-valued quantified propositional Godel 
logics Gf . 

Proposition 16. 1. QG^^ h (Vp)A(p) ^ (A(T) A (Vp)A(Op)) 

2. QGf h {3p)A{p) ^ (A(T) V {3p)A{Op)). 

Proof. (1) The left-to-right implication follows easily from the two instances of 
(dV) 

fJp)A{p) D A(T) and (Vp)A(p) D A(Op). 

For right-to-left, consider 

(g ^ T) D (A(T) A (Vp)A(Op)) d A(q) (3) 

(q ^ Op) D (A(T) A (Vp)A(Op)) d A(q) (4) 

which are derived easily from Prop. 7(2) using IPG'^^. Use (R3) to introduce the 
existential quantifier in the antecedent of (4), and then (112) to obtain 

[{q ^ T) V (3p){q ^ Op)] D (A(T) A (Vp)A(Op)) d A{q) (5) 

The antecedent of (5) is an instance of (G5), and so 

QG^P h (A(T) A (Vp)A(Op)) D A{q) 

from which the right-to-left direction of (1) follows by (RV). 

(2) The argument is analogous to the derivation of (1). □ 



Definition 17. For T C ForU{T,T}, let OPr{A) be the set of formulas in- 
ductively defined as follows: 



OPr{A * B) = OPr{A) U OPr{B), where * G {V, A, d} 
OPr{{Qp)A) = OPr{A), where Q G {V, 3} 



OPr{0^v) 



{o'=u} if u G T 
0 otherwise 



Then expj^(A) = {k : O^q g OPp{A)} 
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Definition 18. The quantifier depth qd(A) of a formula is defined by: 

qd(p) = qd(_L) = 0 qd((Vp)B) = qd((3p)B) = qd(B) + 1 
qd(-B *C) = max(qd(i3), qd(C')) for * e {A, V, d} 



Lemma 19. Let A he a closed formula such that (a) every quantifier free sub- 
formula of A is in O -normal form and (b) no two quantifier occurrences hind 
the same variable. Let A = {pi, . . . ,pj} be the set of variables belonging to the 
innermost quantifiers in A, and F = Var(A) \ A. Then there is a formula A^ so 
that 

1 . 

2 . maxexp^(At*) < minexpj.(At*), 

3. maxexpy^„^(^U)(A“) < 2 • maxexpy^„^(^)(A), 

I qd(A#) < qd(A). 

Proof. Suppose F = {qi, . . . , qi}. Let Aq = A, m = maxexp^(A). At stage i, 
pick the non-innermost quantified subformula (yqi)Bi{qi) or (3qi)Bi{qi) of Ai 
corresponding to qi and replace 

(V(7,)S,((7,) by S,(T) A...AB,(0— iT)A(Vp)B,(0™g,) 

{3q^)B,{p) by S,(T) V...VB,(0™-iT)V(3(?,)S,(0™g,) 

to obtain The procedure terminates with Ai = AK 

At each stage \~ Ai ^ follows by induction on m from Prop. 16. 
The lower bounds are obvious from the construction of A**. □ 

Lemma 20. Suppose A{p) is in O -normal form and 

maxexp{p} A < minexpy^^(^)y{pj A. 

There is a formula A^ , with Var{Ar‘) C Var(A) \ {p} so that 

QG^P h {3p)A ^ A^ 



and maxexpv^„^(^3)u{x} < maxexp A + 1 . 

Proof. Let m = maxexpy^^^^^j^j^j A be the maximal exponent of a subformula 
O^S and let F = {0*5' : S G Tar U{T},t < m}. 

Theorem 15 provides us with A"^ in minimal normal form over F so that 
QG|P h {3p)A ^ (3p)A”^ Since 3 distributes over V, we only have to consider 
formulas of the form {3p)C where C is a O-chain and satisfies the conditions of 
Thm. 15. C corresponds to an ordered partition LIi, . . . , LIk over F. We prove 
that QG|P f- {3p)C ^ C for some quantifier-free C by induction on k. 

If k = 2, then either p G ili or p G LL^. In the first case, QG^p h (3p)C(p) ^ 
C(T), in the second one, QG^p h (3p)C'(p) ^ C'(T). 
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Now suppose k > 2. Three cases arise, according to how the equivalence 
classes containing p are distributed. 

(1) The partition corresponding to C is of the form 

ill, , n,, {p}, {Op}, . . . , jO^pj u iTfe 
Then C'(p) is of the form 

B A {v ^ p) A {p ^ Op) A ... A (O'^p ^ T) AE 

D(p) 

Since D(T) is provable, h {^p)C ^ B A v A T A E. 

(2) The partition corresponding to C is of the form 

TTi, . . . , 77,, IpI, {Op}, . . . , {O^p}, 77,/, . . . , TTfc 
and O^p ^ 77i'. Then C(p) is of the form 

B A {S A p) A {p A Op) A ... A (O^p ^ S') AE 

" V " 

D(p) 

We first show that h (3p)77(p) (O^+^S' ^ S'). For the right-to-left 

direction, observe that 

QG® h (O^'+iS- A S') D [(S' A OS') A ... A (O^s A O^'+^S) A (O^'+^S A S'), 

from which the claim follows by (R3). The left-to-right direction is proved by 
induction on j, using axiom (G6). In sum, we have 

QG® h (3p)C(p) ^{BA (o7+is- ^ 5") a E) 

(3) The partition corresponding to C is of the form 

77i, . . . , 77i, {p}, {Op}, . . . , {O^p} U 77, 77i/, . . . , 77fe 

with S € n, S ^ O^p. Because of the condition on maxexpjpj A we can assume 
that S = 0”g with n > j. 

We proceed by induction on j. If j = 0, then we have a conjunct p ^ S, and 
(3p)C = C'(S). Otherwise, we have a conjunct O^p ^ 0”q with n > j. Using 
(G3), this conjunct is provably equivalent to (o7~ip ^ 0'^~^q) V (o7p a 0"q). 
Hence, C is equivalent to the disjunction of two O-chains corresponding to 

77i, . . . , 77„ {p}, {Op}, . . . , {O^-ip, 0"-ig}, 77, 77,/, . . . , 77fc 

77i, . . . , 77,, {p}, {Op}, . . . , {O^p} U 77 U 77i/ U . . . U 77fc 

For the first O-chain, the maximum exponent of p is smaller and hence the in- 
duction hypothesis of the present subcase applies. The second O-chain is shorter 
overall, and hence the induction hypothesis based on number of equivalence 
classes applies. □ 
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Lemma 21. Let A{p) be in O-normal form, and so that 
maxexp^p} A < A. 

There is a formula A^ , with Var{A'^) C Var{A) \ {p} so that 

QG® h (y/p)A ^ 

and maxexpv^„^(^v)u{±} A'^ < maxexp -4+1. 

Proof. Let A’^^ be the minimal normal form of A. It is provably equivalent to 
the formula obtained from by replacing each element of a chain S ^ S' 
by OS D S'. By distributivity then, A ^ A' where A' is a conjunction of 
disjunctions of implications of the form 0*5' + 0^5'. Any such disjunct of the 
form 0*p + O^p is provably equivalent to T if i < j (in which case the entire 
disjunction can be deleted), or to T D O^p if z > j. The part of a disjunction in 
A! containing p thus can be assumed to be of the form 

i 3 

where p ^ Di, Ei. This, in turn, is equivalent to a conjunction of disjunctions of 
the form 

\/(L» D 0"*p) V E) 

i 3 

This can again be simplified by taking n = max{nz} and m = min{mj}, since 
QG^P h (A D B) V (A D C) ^ (A D C) if QG^p h B d C. 

Since QG^p h (Vp)(A A B) ^ (Vp)A A (yp)B and QG^p h (Vp)(A(p) V 5) ^ 
(Vp)A(p) V i? if p ^ B, it suffices to show that a formula of the form 

F = (Vp)(D + 0» V (0> D E)) 

is equivalent to a quantifier free formula. We distinguish three cases: 

(1) E = k>0. Then QG^p h (0"*p + E) and hence QG^p h + ^ T. 

(2) E = O^T, k < m. Then QG^p h (0"*p O E) E, and hence QG^p h 
F ^ {a D 0"T) V A. 

(3) Since maxexpj^j A < minexpy,j,^(^)yipj A by assumption, this leaves 
only the case E = 0"*5. Then QG^p h + ^ (A d 0"+i5) V 0"*5. The left-to- 
right implication is obvious by (aV), instantiating p by 05. For the right-to-left 
implication two cases arise: 

(a) rz < m. By (G4), we have QG^p h (A D 0”+^5) D [(A D 0"p) V (0”p D 
0”5)]. Furthermore, QG^p F (0”p D 0”5) D (0"*p D 0"*5). In sum, we have 

[(A D o"+i5) V 0"*5] D [(A D o» V (o> D o"*5) V 0"*5] 

Since QG® h 0"*5 D (0"*pV0™5), we have QG^p h [(A D 0"+i5) VO™5] D E. 
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(b) n > m. By (G2), QG® h d 0"+i5, and so QG® h [{A D O^+iS-) v 
O’” 5] D {Ad 0”+^5']. Using induction and (G4), it is easy to show that 

n— 1 

QG^P h{AD o"+iS') D [{A D o» V y (O’+V D o» v(o’”p D O’” S'], 



D 

Each of the disjuncts O’+^p D O’p implies O’p, which in turn implies A D 0”p, so 
QG^P h Dd {Ad 0». In sum, we have again QG^p h [{A D O^+^S) V O’” S'] D 
F. 

The bound on maxexpy^,^(^v)u{x} ^ follows by inspection. □ 

Theorem 22. For every closed formula A of QG^p there exists a variable-free 
formula A^^ such that QG^p \- A ^ A‘A ^ and maxexp^j^j A^^ < where 

Z = maxexp^,„^(^)u{±}• 

Proo/. We may assume, renaming variables if necessary, that each variable in A is 
bound by only one quantifier occurrence. By induction on qd(A). If qd(T) = 0, 
there is nothing to prove. If qd(^) > 0, let A^ be as in Lemma 19. Replace 
each innermost quantified formula {3p)B, {yp)B by BA or B^ , respectively. The 
resulting formula A' satisfies qd(^') < qd(T) — 1 and maxexpy^,j^(^)j|j^j A' < 

2maxexpy„^(^)u{±} 1- ^ 



Proposition 23. Let A he variable-free, and in O -normal form. Then either 
QG|P h T ^ T or QG]*p A ^ 0^(T) where k < maxexp_j-j^j A = n. 

Proof. Gonsider the minimal normal form of A over {0^(T) : k < n}. Each 
chain in is of one of two forms 

C={±^ 0(T)) A (0(T) A 00(T)) A ... A (0”-1t a 0”(T)) 

= (T A 0(T)) A (0(T) A 00(T)) A ... A {0^~^± a 0’”(T)) A /\ o'=(T) 

k—m 

C is provable, so QG^p h C ^ T, and QG^p h Cm ^ 0’”(T). So if A^^ contains 
C, then QG|P h T ^ T, otherwise QG^p L A^ 0^(T), where k is the maximum 
of Ci occurring in □ 

Corollary 24. Let A be closed and not containing O. Then either QG]*p h ^ or 
QG^P L A^ o'=(T), where k < 2 ^AA) ^ 

Corollary 25. The calculus QG^p is complete for G^p. 

Proof. If QG|P 1/ A, then QG^p h ^ ^ O^T for some k. Since G]*p O^T for 
all k, G^P A. 
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Theorem 26 . is the intersection of all finite-valued quantified propositional 
Godel logics. 

Proof. is sound for each finite-valued Godel logic, so C G^*’ for each 

k. Conversely, if G^”^ ^ A, then h A ^ o'=(_L) for some k. Since QG^^ is 
sound for G^+2, we have Gfc+2 ^ A as obviously G^+2 
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Abstract. We reduce the provability of fragments of multiplicative lin- 
ear logic to matching problems consisting in finding a one-one-corres- 
pondence between two sets of first-order terms together with a unifier 
that equates the corresponding terms. According to the kind of struc- 
ture to which these first-order terms belong our matching problem corre- 
sponds to provability in the implicative fragment of multiplicative linear 
logic, in the Lambek calculus, or in the non-associative Lambek calculus. 



1 Introduction 

Four decades ago, Lambek introduced a non-commutative logical calculus, known 
as L, intended to give a mathematical account of the structure of natural lan- 
guages [13]. This calculus, which serves as a basis for modern categorial gram- 
mars [17,18,24], appears a posteriori to be the intuitionistic non-commutative 
fragment of Girard’s multiplicative linear logic [7] . 

In a categorial grammar, sentence parsing amounts to automatic deduction 
in the underlying logical calculus. This gives a practical interest to proof-search 
algorithms for L. Nevertheless, the complexity of L provability is still an open 
problem, even in the case of its implicative fragment. It is known, however, that 
the calculus obtained by allowing L to be commutative (i.e., the intuitionis- 
tic fragment of multiplicative linear logic) is NP-complete. This result, due to 
Kanovitch, remains valid in the purely implicative case [9]. On the other hand, 
NL (the non-associative variant of L that Lambek introduced in [14]) is known 
to be polynomial. This has been established by Aarts and Trautwein for the 
implicative fragment of NL [1], and by ourself for the full system [6]. 

In this paper, we try to get some new insight into the complexity of L. To 
this end, we reduce provability in the implicative fragment of L to a matching 
problem consisting in finding a one-one-correspondence between two sets of first- 
order terms ranging over the free monoid, together with a unifier that equates 
the corresponding terms. Interestingly enough, when the terms range over the 
free groupoid or over the free commutative monoid, our matching problem cor- 
responds to provability in the implicative fragments of NL or multiplicative 
linear logic, respectively. This sheds light on the role played by associativity, 
and commutativity. 
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Our reduction, which is inspired by the language models of L [20], is not 
entirely new. Indeed, in his thesis [22], Roorda shows how to associate to any 
formula L a matching problem akin to ours. With respect to this, our contribu- 
tion is twofold: 

— we show that a formula is provable if and only if the associated matching 
problem admits a solution (Roorda only proves the easy part of this state- 
ment, i.e., the necessity of the condition); 

— we define a notion of PN-matching that characterises exactly the matching 
problems that are associated to formulas; consequently, our reduction works 
in both direction. 

We also define a general proof-search procedure that works for the implicative 
fragments of NL, L, and multiplicative linear logic. This procedure, which is 
based on our notion of PN-matching, is specified by a non-deterministic transition 
system. Here, our main contribution is to show that each transition is history 
independent, which allows dynamic programming techniques to be used. 

2 Intuitionistic Implicative Linear Logic 

In this section, we present three variants of intuitionistic implicative linear logic: 
the implicative fragment of Girard’s multiplicative linear logic [7], the implicative 
fragment of Lambek’s calculus of syntactic types (also known as the Lamhek cal- 
culus) [13], and the implicative fragment of the so-called non associative Lambek 
calculus [14]. These three calculi will be called IMLL, IL, and INL, respectively. 
As we will see, IMLL may be seen as the commutative extension of IL which 
may be seen as the associative extension of INL: 

We start with a presentation of the weakest system. The formulas of INL 
are built up from a set of atomic formulas A and the connectives — o and o— 
according to the following grammar: 

T ::= A\ \ {T T) 

The consequence relation of INL is specified by the following Gentzen-like se- 
quent calculus. The sequents of this calculus have the form F \- A where T is 
a (possibly empty)^ binary tree of formulas, i.e., a fully bracketed structure. We 
take for granted the notion of context, i.e., a binary tree with a hole. If T[] is 
such a context, F\A\ denotes the binary tree obtained by filling the hole in F[] 
with the binary tree A. 

A I- A (Id) 



F.-A A[B] {A,F) ^ B 

(^-L) (^-R) 

A[{r,{A^B))] I- C Fi-{A^B) 

^ This is a slight departure from the original (non associative) Lambek calculus that 
requires sequents whose antecedents are non empty. 
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r - A A[B] - c (r,A) - B 

A[{{B A),r)] I- C Fi-{B(^A) 

The above system does not include any structural rule. As a consequence 
INL, seen as logical system, is quite weak (without being trivial) . For instance, 
the two connectives and “o— ” do not satisfy the following transitivity rules: 

{A-oB,B—oC)i-A—oC (C o— B, S o— A) I- C o— A 



Indeed, these two rules suppose the associativity of the binary operation whose 
residuals are and “o— ”, 

Now, by extending INL with the following structural rules, which allow for 
associativity, we obtain the Lambek calculus IL: 



r[{A,{0,A))] A 
r[{{A,0),A)] A 



(associ) 



r[{{A,0),A)] ■- A 
r[{A,{0,A))] A 



(assoc2) 



In fact, the usual presentation of IL leaves Rules (associ) and (assoc 2 ) implicit 
by defining the antecedents of the sequents to be sequences of formulas rather 
than binary trees. 

Finally, by extending IL with the following exchange rule: 



r[{A,0)] 1- A 
— |- Z\) ] A 



one obtains the implicative fragment of Girard’s multiplicative linear logic. In 
this case, there is no longer any need for distinguishing between two kinds of 
implications because the formulas A—oB and B o— A are provably equivalent. 

It is well-known that IMLL, IL, and INL are such that any sequent (A, B) i- 
B is provable if and only if F i- A ^ R is provable. This allows the provability 
problem for sequents to be reduced to the provability problems for sequents 
made of only one formula. In the sequel of this paper, for the sake of simplicity, 
we will only consider such one- formula sequents. 



3 Intuitionistic Proof-Nets 

In Girard’s multiplicative linear logic, implication is not taken as a primitive. The 
formulas are built upon a set of literals — i.e., atomic formulas {A,B,C, . . .) or 
negated atomic formulas {A ^ , B ^ , , . . .) — by means of two connectives (G and 

that correspond to multiplicative conjunction and disjunction, respectively. 
Then, implication is defined according to de Morgan’s laws. This gives rise to 
the following translation of the implicative formulas introduced in the previous 
section: 



[[A]]+ = A 
[[a /?]]+ = 



[[A]]-=A^ 

[[a ^ /?]] = I/^l ® 
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Example 1. Let = {C—o{Bo—A))—o(C^{Bo—((Eo—E)—o((D—oD)—oA)))). 
Then, we have 

[[FJ+ = {{A (g) B^) 0 C) 2? (C-L ^{B^ {{A^ (g) {D^ ^ D)) ®{E^ E^)))) 

This translation allows proof-nets to be defined for IMLL, IL, and INL. 
Proof-nets are a graph-theoretic representation of proofs. Their definition comes 
in two rounds. One first defines a notion of proof-structure, which corresponds 
to a class of graphs intended to represent proofs. Then one gives a correctness 
criterion that allows one to distinguish the proof-structures that correspond to 
actual proofs from the other ones. 

There exist several correctness criteria in the literature [3,4,7,8,10] (including 
criteria adapted to the non-commutative case [12,19,21,22]), among which the 
most well known are Girard’s long trip condition [7], and the Danos-Regnier 
criterion [4]. These criteria might be used in the present intuitionistic setting 
because (contrarily to classical logic) multiplicative linear logic is a conserva- 
tive extension of its intuitionistic fragment. Nevertheless, it is possible to define 
criteria that are intrinsically intuitionistic. This is the case of the criterion we 
give here, which is taken from [5] . This criterion has also the advantage of being 
easily adaptable to the non-commutative and the non-associative cases. 

Proof-nets and proof-structures being simple graphs (whose vertices are dec- 
orated with literals and connectives), we use freely elementary graph-theoretic 
concepts that can be found in any textbook. In particular, we adopt the termi- 
nology of [2], and we will write P = (V, E) for a proof-structure (or a proof-net) 
P whose set of vertices is V, and set of edges is E. We also take for granted the 
notion of parse tree of a multiplicative formula. The leaves of such a parse tree 
are decorated with literals, and its nodes are decorated either with the connective 
(g) or the connective 

We first introduce a notion of proof-frame. Then we define the notions of 
proof-structure and proof-net. 

Definition 1. Let A be an implicative formula. The proof-frame of A is defined 
to be the parse tree of the multiplicative formula [[gl]]"''. ■ 

The translation [[ J"*" implicitly assigns polarities (positive or negative) to all 
the sub-formulas of a given implicative formula. This assignment is reflected on 
the proof- frames as follows: 

— each leaf that is decorated with a positive literal {A,B,C, . . .) is assigned 
the positive polarity; 

— each leaf that is decorated with a negative literal {A^ , B^ , , . . .) is as- 

signed the negative polarity; 

— each node that is decorated with ^ is assigned the positive polarity; 

— each node that is decorated with (g> is assigned the negative polarity. 

In a proof-frame, a subgraph made of one node together with its two daughters 
is called a link. The left and right daughters of a link are respectively called its 
left and right premises. The mother is called the conclusion of the link. Note that 
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the two premises of any link are assigned opposite polarities by the translation 
[[ ]]’’’. Consequently, one distinguishes between four sorts of links according to 
the polarities that are assigned to their vertices. The npp-links are defined to be 
the links whose left premise is negative, whose conclusion is positive, and whose 
right premise is positive. The ppn-links, nnp-links, and pnn-links are defined 
accordingly. The npp- and ppn-links are also called ^-links, according to the 
connective that decorates their conclusions. Similarly, the nnp- and pnn-links 
are called (g)-links. 

Definition 2. Let A be an implicative formula. A proof- structure of A (if any) 
is a simple decorated graph made of: 

(a) the proof-frame of A, 

(b) a perfect matching on the leaves of this proof-frame that relates any leaf 
decorated with a positive literal A to some leaf decorated with the negative 
literal A^ . 

The edges defining the perfect matching on the leaves of the proof-frame are called 
the axiom links of the proof- structure. ■ 

In a proof-structure, the two leaves of the underlying proof-frame that are 
related by a given axiom link are called the conclusions of this axiom link. We 
also define the principal inputs of a proof-structure (or a proof-frame) to be the 
negative premises of its ^-links. Similarly, we define its principal outputs to be 
the positive premises of its (8>-links (this notion will be only needed in Section 

4 ). 

Let if be a countably infinite set, whose elements will be called the constants. 
We write T(if) for the carrier set of the groupoid^ (T(i7),-,e) freely generated 
by E. We also write E* (respectively, N^) for the carrier sets of the monoid 
{E*,-,e) (respectively, the commutative monoid^ (N^,-,e)) freely generated by 
E. 

Definition 3. Let A he an implicative formula, An INL (respectively, IL, 
IMLL) proof-net of A (if any) is a proof- structure of A, P = (V,E), together 
with an application p : F — > E(E) (respectively, p : V ^ E* , p : V ^ such 
that: 

(a) the value assigned by p to the root of the underlying proof-frame is e; 

(b) the values assigned by p to the principal inputs of P are constants that are 
pairwise different; 

(c) the values assigned by p to the two conclusions of an axiom-link are equal; 

^ I.e, an algebraic structure with a (non necessarily associative) binary operation 
that admits an identity element e. 

® Remark that the set of functions from a set E to N, together with the pointwise 
addition, corresponds indeed to the commutative monoid freely generated by E. 
Therefore, in this case, it woud be more natural to write “-I-” for the binary operation 
of the structure. Nevertheless, for the sake of uniformity, we will stick to the product 
notation. 
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(d) the values assigned by p obey the constraints given in Figure 1, i.e.: 

(dl) the value assigned to the positive premise of a npp-link must be equal to 
the product of the value assigned to its conclusion with the value assigned 
to its negative premise, 

(d2) the value assigned to the positive premise of a ppn-link must be equal to 
the product of the value assigned to its negative premise with the value 
assigned to its conclusion; 

(d3) the value assigned to the negative premise of a nnp-link must be equal to 
the product of the value assigned to its conclusion with the value assigned 
to its positive premise; 

(d4) the value assigned to the negative premise of a pnn-link must be equal to 
the product of the value assigned to its positive premise with the value 
assigned to its conclusion. ■ 



a — t ■ a -\- 


a - t -\- a — 


t ■ u — u -\- 


M -1- u ■ t — 


\/ 


\/ 


\/ 


\/ 


t ^ 


t ^ 


t (g) 


t ® 


npp-link 


ppn-link 


nnp-link 


pnn-link 



Fig. 1. Constraints on the links of a proof-net 



In [5], the notion of dynamic graph underlying a proof-net is introduced. 
Using this notion, it is easy to prove that, for any given proof-net, the valuation 
p is unique up to the renaming of the atoms assigned to the principal inputs. 

Example 2. Figure 2 gives a proof-net for the formula of Example 1. 

In his thesis [22] , Roorda noted that it is possible to assign labels that obey 
the contraints of Definition 3 to the vertices of any correct proof-structure (i.e., 
a proof-structure that corresponds to some sequent derivation). On the other 
hand, he did not prove that the existence of such an assignement is sufficient to 
ensure correctness. He stated it as an open problem. We solve the question in 
[5] where, indeed, we proved that the condition is sufficient.^ Consequently, we 
have the following proposition. 

Proposition 1. Let A be an implicative formula. A is INL (respectively, IL, 
IMLL) provable if and only if there exists an INL (respectively, IL, IMLL) 
proof-net for it. □ 

4 Proof-Search as a Matching Problem 

Definition 3 suggests almost immediately a proof-search procedure, which may 
be roughly described as follows: 

^ In fact, Roorda conjectured that the condition was not sufficient. 
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Fig. 2. A proof-net 



— given a formula, assign to the vertices of its proof-frame values that obey 
the constraints of Figure 1; 

— try to find a set of axiom links such that the values assigned to the conclusions 
of any axiom link are equal. 

Now, the problem in trying to assign values to a proof-frame is that the constants 
assigned to its principal inputs are not sufficient to determine the values assigned 
to its other vertices. The way out is to assign variables to some of the vertices, 
and then to search for a set of axiom links such that the terms assigned to 
the conclusions of any axiom link are unifiable. To make this idea precise, we 
introduce the notion of valuated proof-frame. 

Let A be a countably infinite set disjoint from A, whose elements will be 
called the variables. We write T{S,X) for the set of terms generated by S and 
X (including the identity element e). We have T{S) C T{S,X) and, in this 
setting, the elements of T(i7) are called the ground terms. When t is a term, 
we write var(t) (respectively, cst(t)) to denote the set of variables (respectively, 
constants) occurring in t. We extend these notations to sets of terms in the 
obvious way. 

Definition 4. Let A be an implicative formula. A valuated proof-frame of A 
consists of the proof-frame of A, P = (V,E), together with an application p : 
V T(E,X) such that: 

(a) the value assigned by p to the root of P is e; 

(b) the values assigned by p to the principal inputs of P are elements of E that 
are pairwise different; 

(c) the values assigned by p to the principal outputs of P are elements of X that 
are pairwise different; 
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(d) the values assigned by p obey the constraints given in Figure 1. ■ 

One easily shows that any formula admits a valuated proof-frame, which is 
unique up to a renaming of the constants assigned the principal inputs and the 
variables assigned to the principal outputs. Consequently, we will speak of the 
valuated proof-frame of a formula. 

A substitution skeleton cr is defined to be a partial function a \ X ^ 
whose domain is finite. Such a substitution skeleton induces a unique function 
a : T{S,X) T{S,X) such that: 

(a) d(e) = e, 

(b) cr{x) = Cf{x), for x G dom(cr), 

(c) a{a) = a, for a G (A U A) \ dom(<T), 

(d) a\a ■ P) = a{a) ■ d(/3). 

A function such as a is called a substitution, and we write Subst(A, S) for the set 
of substitutions. By a slight abuse of language, we will speak of the domain of a 
substitution to mean the domain of its skeleton. If a and r are two substitutions 
whose domains are disjoint, we have that a o t = t o a , and the skeleton of the 
substitution is the union of the two skeletons. In such a case, again by abuse of 
language, we will write cr U r for a o t. 

The next lemma is almost immediate. 

Lemma 1. Let A be an implicative formula, and let P = {{V,E),p) be its valu- 
ated proof-frame. Then, A is INL (respectively, IL, IMLL) provable if and only 
if there exists a one-one correspondence R between the positive leaves and the 
negative leaves of P, together with a substitution a G Subst(A, A) such that for 
any positive leave p and any negative leave n, pRn implies that: 

(a) if p is decorated with A then n is decorated with A^ ; 

(b) a{p{p)) = a{p{n)) (respectively, modulo associativity, modulo associativity 
and commutativity) . 

Proof. Imagine there exist such a correspondence R and such a substitution 
cr. It is easy to check that {{V, E\J R), a o p) is a proof-net. Consequently, by 
Proposition 1, A is provable. 

Conversely, suppose that A is provable, and consequently, that there exists a 
proof-net {{V, E'), p'). Take R = E' \ E (the axiom links of the proof-nets). We 
have that pRn implies p'{p)) = p'{n). It is then easy to show, by induction on 
the proof-frame of A, that there exists a substitution such that p' = a o p. □ 

From the above lemma, we have that to any implicative formula A correspond 
two sets of terms P and N such that A is provable if and only if there exists 
a one-one-correspondence between P and N together with a substitution that 
unifies the corresponding terms. In general, the converse is not true: one cannot 
associate an implicative formula to any pair of sets of terms. The main goal 
of this section is to characterize the pairs of sets (P, N) which correspond to 
implicative formulas. 
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We define the sets of positive (V) and negative (Af) terms as follows: 

V ::= X \ {V ■ S) \ {S -V) 

N ■.■.= S \ {N ■ X) \ {X-N) 

The unique variable occurring in a positive term is called the head of the term. 
Similarly, the head of a negative term is the unique constant occurring in it. We 
also define the set of positive ground terms (tj). These are positive terms whose 
head as been instantiated by a constant: 

g ■.■.= s \ {g ■ S) \ {s-g) 

We define the accessibility relation ^ on guVuN as follows. Let t, m G guVuN . 
Then, t ^ u if and only if: 

— either t & g UV , u € N , and the head of u occurs in t; 

— or t G Af, u GV, and the head of u occurs in t. 

We now define the central notion of this paper 

Definition 5 . A pt<i - matching problem consists of two finite sets of terms P and 
N such that: 

(a) P contains one positive ground term, called the root of the problem, and all 
its other elements are positive terms; 

(b) all the elements of N are negative terms; 

(c) all the heads of the positive (respectively, negative) terms are different; 

(d) the head of each positive (respectively, negative) term occurs in exactly one 
negative (respectively, positive or positive ground) term; 

(e) each constant (respectively, variable) that occurs in a positive or positive 
ground (respectively, negative) term is the head of a negative (respectively, 
positive) term; 

(f) (Vt GPU N) r t, where r is the root of the problem, and is the 
transitive refkive closure of the accessibility relation. 

Such a PPi -matching problem admits a free- solution (respectively, A-solution, AC- 
solution) if and only if there exists a one- one- correspondence R between P and N 
together with a substitution a G Subst(T, S) such that (Vp G P)(Vn G N) pRn 
implies a{p) = cr(n) (respectively, modulo associativity, modulo associativity and 
commutativity). ■ 

As we will see, the above notion of PN-matching corresponds to provability 
of one-literal formulas. It is not difficult to get rid of this restriction. It suffices 
to add to the problem (P,N) a set of constraints C G P x N such that 

(Vpi,p2 G P)(Vni,n2 G N) (pi,ni), (pi,n2), (^2,^2) G C ^ (p2,ni) G C, 

and require that any solution (P, a) is such that R C C. Nevertheless, we prefer 
not to consider such a set of constraints C in order to keep the notion of PN- 
matching as simple as possible. One of our goals is to gain some insight into the 
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complexity of the Lambek calculus. With respect to this aim, there is no harm 
in considering only one-literal formulas. Indeed, it is a direct consequence of [15] 
that one-literal multiplicative formulas are not easier to prove than many-literal 
multiplicative formulas. 

We will speak of free PN-matching, associative PN-matching, or associative 
commutative PN-matching according to the kind of solutions we consider (free- 
solution, A-solution, or AC-solution, respectively). On the other hand, when 
stating properties that are common to the three kinds of problems, we will 
simply say PN-matching. 

It is not difficult to prove that the definitional properties of a PN-matching 
problem (P,N) imply that the accessibility relation on P U is a tree. This 
property will be useful in the sequel. 

Clearly, a necessary condition for a PN-matching problem to admit a solution 
is that P and N have the same cardinality. We will come back to this in Section 

5. 

We say that a substitution cr is relative to a set of terms T if and only if 
dom((r) C var(T). It is easy to show that, whenever a PN-matching problem 
(P,N) admits a solution (R,a), it admits a solution {R,a') where a' is relative 
to P. In the sequel of this paper, we will only consider such solutions. 

We end this section by proving that free, associative, and associative com- 
mutative PN-matching are equivalent to provability in INL, IL, and IMLL. 

Proposition 2. For any one-literal implicative formula A, there exists a pn- 
matching problem (P,N) such that A is INL (respectively, IL, IMLL) provable 
if and only if{P,N) admits a free solution (respectively, A-solution, AC-solution) . 

Proof. Take P to be the set of terms assigned to the positive leaves of the 
valuated proof-frame of A. Similarly, take N to be the set of terms assigned to 
its negative leaves. One may easily show, by induction on the proof-frame of A, 
that (P, N) is a PN-matching problem. Then, by Lemma 1, this problem admits 
a solution if and only if A is provable. □ 

As a corollary of this proposition, we have that associative commutative PN- 
matching is NP-complete since provability in IMLL is known to be NP-complete 
[9]. 

To show the converse of proposition 2, we associate a valuated partial parse 
tree T (t) to each term t G V as follows: 

(a) P{X) consists of a simple positive node A, which is assigned X; 

(b) T{a ■ t) is obtained as follows: replace in T{t) the positive leaf which is 
assigned t by a ppn-lmk whose positive premise A is assigned a ■ t and whose 
negative premise is assigned a; 

(c) T{t ■ a) is obtained as follows: replace in T{t) the positive leave which is 
assigned t by a npp-\mk whose negative premise A-^ is assigned a and whose 
positive premise A is assigned t ■ a. 

Similarly, one defines T{t), for t G Af: 
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(a) T(a) consists of a simple negative node A-^, which is assigned o; 

(b) T{X ■ t) is obtained as follows: replace in T(t) the negative leave which is 
assigned t by a pnn-link whose positive premise A is assigned X and whose 
negative premise A-^ is assigned X ■ t; 

(c) T{t ■ X) is obtained as follows: replace in T(t) the negative leave which is 
assigned t by a nnp-link whose negative premise A-^ is assigned t • X and 
whose positive premise A is assigned X. 

Finally, one defines T{t), for t G Q: 

(a) T(a) consists of a npp-link whose both premises are assigned a and whose 
conclusion is assigned e; 

(b) T(a • t), where t is not atomic, is obtained as follows: replace in T(t) the 
positive leave which is assigned t by a ppn-link whose positive premise A is 
assigned a ■ t and whose negative premise A^ is assigned a; 

(c) T{t ■ a) is obtained as follows: replace in T(t) the positive leave which is 
assigned t by a npp-link whose negative premise A-^ is assigned a and whose 
positive premise A is assigned t ■ a. 

Proposition 3. For any pn - matching problem (P,N), there exists a one-literal 
implicative formula A such that A is INL (respectively, IL, IMLL) provable if 
and only if{P,N) admits a free solution (respectively, A-solution, AC-solution). 

Proof. Let P and N be two sets of terms that satisfiy Conditions (b), (c), (d), 
and (f) of Definition 5 — but that does not necessarily satisfy Condition (e). We 
construct a valuated proof-frame F by induction on the accessibility relation. If 
N is empty, and consequently, P = {r} where r is the root of the problem, we 
take F = T{r). Otherwise, let t G PUfV be a term that is maximal with respect 
of Let F' be the valuated proof-frame associated, by induction hypothesis, 
to the problem obtained by removing t from (P, N) . F is then constructed by 
grafting T(t) in place of the unique leave of F' that is assigned the head of t 
and that has the same polarity as t. It is not difficult to check that F is indeed 
the valuated proof-frame of a one-literal formula A, and that the positive and 
negative leaves of F are respectively assigned the elements of P and N. Hence, 
the proof of the proposition follows by Lemma 1. □ 

As a corollary of this proposition, we have that free PN-matching is poly- 
nomial since provability in INL is known to be polynomial [1]. Finally, as a 
corollary of both Proposition 2 and 3, we have that provability of one-literal for- 
mulas in IL is NP-complete or polynomial if and only if associative PN-matching 
is NP-complete or polynomial, respectively. Consequently, the complexity prob- 
lem of the Lambek calculus may be studied through our notion of PN-matching 

5 A pn-Matching Algorithm 

In this section, we give a general PN-matching algorithm. We first specify it 
by means of a non deterministic transition system. Then we explain how this 
algorithm may be implemented in a more efficient way. 
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In what follows, we assume that the terms defining a PN-matching problem 
are assigned different integers, and if t is such an indexed term denotes 
the integer assigned to t. We also assume that a substitution applied on an 
indexed term does not affect the integer, i.e., #cr(t) = This is only needed 
to keep a trace of the original terms when applying a substitution and to allow 
correspondences between terms to be represented as relations on integers. 

Let P and N be two sets of indexed terms, i? C Nx N, and a G Subst(T, 17 ). 
Consider the following transition: 

(P, N, R, a) {t{P \ {t}),T{N \ {u}),R U {(#t, #u)}, r o a) ( 1 ) 

where t G P is a, positive ground term, u G N, and t is a substitution whose 
domain is var(rt) and such that t = t{u). 

We will prove that a PN-matching problem (P, N) admits a solution (i?, a) 
if and only if there exists a sequence of transitions such that: 

(P, TV, 0 , id) — ( 0 , 0 , P, a) ( 2 ) 

Clearly there cannot be infinite sequences such as ( 2 ). Moreover, the branching 
due to the non-determinism of Transition ( 1 ) is finite. Consequently, Transition 
( 1 ) specifies indeed a non deterministic algorithm. Proving the correctness of 
this algorithm (i.e., the if-part of the above statement) is straightforward. 

Proposition 4 . Let (P,N) be a PN-matching problem such that 

(P, TV, 0 , id) — ( 0 , 0 , P, a) 

Then (R,a) is a solution to (P, TV). 

Proof. A straightforward induction on the sequence of transitions. □ 

In order to prove the completeness of the algorithm, we first establish a 
lemma. 

Lemma 2 . Let (Pi,TVi) and (P2,TV2) be two PN-matching problems such that 
var(Pi) n var(P2) = 0 . Lf there exist sequences of transitions such that 

(Pi,Ni, 0 ,id) — >* ( 0 , 0 ,Ri,ai) and (P2, TV2, 0 , zd) — >* (0,0,R2,a2) 

then there exist a sequence of transition such that 

(Pi U P2, TVi U TV2, Rqi fTo) — (0, 0 , R2 U Pi U Pq, (T2 U (Ti U (Tq) 

where Rq is any relation, and gq is a substitution whose domain is disjoint from 
var(Pi) and var{P2). 

Proof. Since var(Pi) Cvar(P2) = 0 , we have that (Ti(P 2) = P2 and (Ti(TV 2) = TV2. 
It is then straightforward to prove that: 

(Pi U P2, TVi U TV2, Po, Go) — >* (P2, TV2, Pi U Rq, gi o gq) 

>* (0, 0 , P2 U Pi U Po, G2 O Gi o Go) 



Moreover, we have that the domain of Go, gi, and G2 are pairwise disjoint. Hence, 
(72 O (Tl o (To = (T2 U (Tl U (JQ . □ 




Proof-Search in Implicative Linear Logic as a Matching Problem 269 



We now prove the completeness of the algorithm. 

Proposition 5. Let {P, N) be a PN-matching problem that admits a solution 
(R,a). Then there exists a sequence of transitions such that: 

{P, N, 0, id) — (0, 0, R, a) 

Proof. Let r G P he the root of the problem, and let u G N be such that 
G R. Then, let cr„ be the substitution a restricted to var(u), and let 
{ti)i^n be the positive terms such that u < ti. Define the following sets, relations, 
and substitutions: 



Pt = {tG P\ au{U) cr„(t)} 

Ni = {t G N \ au{ti) CTu{t)} 
i?, = i?n(#P, x#fV,) 

(Ti is the substitution cr restricted to var(Pi) 

It is easy to show, from the definitional properties of a PN-matching problem 
that: 

— (Vz, j G n) i ^ j implies Pi fl Pj = 0 and Ni n Nj = 0, 

- U*en Pi = P\ M and U*6„ N, = N \ {zz}, 

- U*en Ri = R\ {(#D #u)} and (Uig„ (Ti) U au = cr, 

— {{(7u{Pi),(Tu{Ni)))i(zn is a family of PN-matching problems, with (ti)ig„ as 
roots, that admits the family of solutions ((i?i, (Ji))ig„. 

Then, by induction hypothesis, there exist sequences of transitions such that: 

{(Tu{Pf),(Tu{Nf),0,id) — (0,0,Pj,Cri), 

and, by iterating Lemma 2, 

(U U (0,0,P,cr), 

i£n i£n 

which allows us to conclude since 

{P, N, 0, id) — > (IJ cr„(Pj), y cr„(fv,), {(#r, #zz)}, cr„) 

i£n i£n 



□ 

There are different sources of non-determinism in our PN-matching algorithm: 

(a) the choice of the positive ground term t according to which the transition is 
done, 

(b) the choice of the negative term u to be matched with t, 

(c) the choice of the substitution r such that t = t{u). 
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One cannot avoid (b) and (c). On the other hand, the non-determinism due to 
(a) may be circumvented as we will explain by transforming our algorithm. 

We first show that there is no need for updating N in Transition (1). Consider 
the following sequence of transitions: 

(P, N, 0, id) — {P', N', R, cr) 

— ' {t{P' \ {0). t{N' \ {m}), R U {(#t, #m)}, to(j) 

where {P, N) is a PN-matching problem. It is a direct consequence of Properties 
(c), (d) and (e) of Definition 5 that the substitution t does not affect N' \ {m}, 
i.e., t{N' \ {u}) = N' \ {«}. Moreover, because of these same properties, there 
cannot be any positive ground term f G r(P' \ {t}) such that t' = t' { u) for some 
substitution t' . Hence, updating N is only needed in order to ensure that P and 
N have the same number of elements. But this may be checked once and for all 
before starting any sequence of transition. Therefore, one may assume that N is 
an invariant datum that is global to all the possible sequences of transitions. 

Now consider the set P' \ {t} that appears in the above transition. This set 
may be partitioned into two set P\ and P 2 as follows: 

p^={t^P'\u^t} and P 2 = P'\ (Pi U {t}) 

Again by the definitional properties of a PN-matching problem, one may prove 
that all the terms in r(Pi) are positive ground terms and that t(P 2 ) = P 2 . 
Moreover, using Property (f) of Definition 5, one proves that, whenever r(P'\{t}) 
does not contain any positive ground term, we have P' \ {t} = 0. 

These observations lead us to the definition of a new transition: 

(G, P, a) ^ ((G \ {t}) U t{Q),R U {(#t, #m)}, r o a) (3) 



where: 

— P, G, and N are sets of positive, positive ground, and negative terms re- 
spectively; 

— P C N X N and a G Subst(A’, A); 

— t G G, u G N , and r is a substitution whose domain is var(u) and such that 
t = t(u); 

— Q = {t G P\u <t}. 

It follows from the above discussion that a PN-matching problem (P, N) with 
root r admits a solution (P, cr) if and only if there exists a sequence of transitions 
such that: 

({r},0,zd) (0,P,cr) (4) 

provided that P and N have the same number of elements. 

Finally, let G, P, and a be such that 

({r},0,zd) {G,R,a) 



( 5 ) 




Proof-Search in Implicative Linear Logic as a Matching Problem 271 



where (P, N) is a PN-matching problem whose root is r. Assume that there exists 
two different transitions: 

(G, R, a) ^ {{G \ {ti}) U n(gi), R U Ti o a) 

(G, R, a) ^ {{G \ {h}) U T 2 {Q 2 ), R U {(#t 2 , #U 2 )}, T 2 o a) 

It is easy to prove, by induction on the length of Sequence (5) that cst(ti) n 
cst(t 2 ) = 0- Consequently, we have u\ yf U 2 ^ var(ui) n var(rt 2 ) = 0, and Qi n 
Q 2 = 0. This implies that there exist two transitions such that: 

((G\ {tl}) UTi(Qi),i?U oct) ^ 

((G \ {ti, 12 }) u ri(Qi) U T 2 {Q 2 ),R U {(#G, #mi), (#t 2 , #^ 2 )}, (ti U T 2 ) o a) 

((G\ {t2}) UT2(Q2),PU {(#t2,#M2)},T2 0Cr) ^ 

((G \ {h, t 2 }) u ri(Qi) U T 2 {Q 2 ),R U {(#G, #mi), (#^ 2 , #^ 2 )}, (ti U T 2 ) o cr) 

Consequently, there is no source of non-determinism in the choice of the 
positive ground term according to which the transition is done. This means 
that the search for a successful sequence of transitions may be organised as an 
and/or-tree. 

Figure 3 gives such an and/or-tree is given for the following associative PN- 
matching problem: 

P = {1 : a6c,2 : Z,3 : y,4 : eA,5 : ITd} and 
fV = {T : c,2' : YbZ,2,' : e,4' : d,5' : aXW} 

The main nodes, in this tree, are labelled with ground terms and the edges 
growing from these correspond to the different negative terms that match with 
the ground terms labelling the main nodes. Each such edge is labelled with the 
index of the corresponding negative term. Then there is a possible or-node with 
leaving edges corresponding to the possible different unifiers. Finally, each pos- 
sible unifier gives rise to a and-node whose leaving edges reach the new positive 
ground terms resulting from a transition. 

In such an and/or-tree, the subtree growing out of a main node is history 
independent: it is completely determined by the ground term labelling the main 
node. Consequently, the proof-search space may be organised as a DAG rather 
than as a tree (by using memoization or dynamic programming techniques, for 
instance). 

6 Conclusions and Future Work 

We have reduced INL, IL, and IMLL provability to matching problems that 
emphasise the part played by associativity in the case of IL, and associativity and 
commutativity in the case of IMLL. As we said in the introduction, we hope that 
this reduction will give an insight into the complexity of the Lambek calculus. 
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An important question, in this context, is to know whether our PN-matching 
algorithm runs in polynomial time in the non-associative case. In fact, even in 
this simple case, it is not difficult to construct families of formulas for which 
the proof-search space, when organised as a tree, has an exponential number of 
nodes. Consequently, the only hope of obtaining a polynomial algorithm is to 
organise some sharing as we suggested at the end of the previous section. If we 
do so, our PN-matching algorithm runs in polynomial time provided that the 
number of different positive ground terms involved in the search is polynomial. 
Several experimental results suggest that this is the case. Unfortunately, we do 
not know how to prove it in general. Therefore, the next step of this work will 
be to solve this question. 

The first experiments we have conducted seem to indicate that our PN- 
matching algorithm has a good behaviour in practice. Hence, it would be in- 
teresting to see how our approach compete with other methods [16,23]. In this 
practical setting, working only in the implicative fragment of mutiplicative lin- 
ear logic is a limitation. This raised the question of extending our procedure to 
fragments including additives and exponentials. In this respect, [11] might be 
a source of inspiration. Indeed, in the purely implicative case, there is a strong 
connection between our proof-search algorithm and Lamarche’s games. 
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Abstract. Various models for the Girard- Reynolds second-order lamb- 
da calculus have been presented in the literature. Except for the term 
model they are either realizability or domain models. In this paper a 
further model construction is introduced. Types are interpreted as in- 
verse limits of w-cochains of finite sets. The corresponding morphisms 
are sequences of maps acting locally on the finite sets in the tu-cochains. 
The model can easily be turned into an effectively given one. Moreover, 
it can be arranged in such a way that the universally quantified type 
Vt.t representing absurdity in the higher-order logic defined by the type 
structure is interpreted by the empty set, which means that it is also a 
model of this logic. 



1 Introduction 

Type systems originally introduced in logic and the foundations of mathemat- 
ics have been proved quite useful in computer science. By the Curry-Howard 
isomorphism typed expressions can be interpreted in various ways. If types are 
considered as formulae of a logical calculus, the expressions of a certain type are 
proofs of the corresponding formula. In case we think of a type as a data struc- 
ture, an expression is a program which evaluates to a value in this data structure. 
But we can also consider types as formulae of a specification language. Then the 
statement that an expression is of a certain type means that this program results 
in a value which meets the specification given by the type. 

Various type systems of different computational and expressive power have 
been considered in the literature. In this paper we will be mainly concerned with 
the polymorphic lambda calculus. 

The polymorphic lambda calculus, introduced independently by Girard [13,14] 
and Reynolds [21], is an extension of the usual typed lambda calculus that allows 
a form of parametric polymorphism. Types include universally quantified types 
which are types of polymorphic terms, thought of as describing those functions 
which are defined in a uniform manner at all types. Terms can be applied to 
types and in this sense can be parameterised by types. 

In order to achieve this, type variables are introduced into the typed lambda 
calculus. So, for instance, Xx: a. x should be thought of as the identity func- 
tion on the type denoted by a. The polymorphic identity function, the term 
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which stands for the identity function on any type, is given by the expression 
At. Xx: t. X. It has a universally quantified type denoted by Vt. t ^ t. Given a 
type (Ti, a term At. M of universally quantified type Vt. can be instantiated 
to a term {ax/t}M which then has type {a\/t}a 2 , and so, for instance, the poly- 
morphic identity above instantiates at type cr to the identity Xx: a. x of type 
a ^ a. 

While the pioneering work of Girard contains most of the results on the syn- 
tax of the calculus, an understanding of its models has developed more slowly. 
There is a trivial model obtained by interpreting types as either the empty or 
the one-point set. But this is obviously inadequate as a model of polymorphism 
and the many useful data structures definable in the calculus. The difficulty of 
providing nontrivial models arises essentially from the impredicative nature of 
the calculus: in the abstraction of a universally quantified type Vt. cr the type 
variable t is understood to range over all types including the universally quanti- 
fied type itself. Reynolds [23] showed that no model of the polymorphic lambda 
calculus in which the function-space constructor behaves set theoretically is pos- 
sible, classically. But, by a result of Pitts [20], such a model can be constructed 
in constructive set theory. 

Nontrivial models, term and realizability models, were already presented by 
Girard [14] and Troelstra [27]. McGracken [18], building on ideas from Scott [25] 
produced the first correct domain-theoretic model. It was constructed from 
Scott’s universal domain Vlo, using closures (a special kind of retracts) to rep- 
resent types. Following a suggestion of Scott [26], McGracken [19] has as well 
shown that Unitary retracts over certain finitary complete partial orders can be 
used to represent types. Amadio, Bruce, and Longo [1], again using ideas ap- 
pearing in several papers by Scott, have also constructed a model using finitary 
projections over complete partial orders. All these domain models are models for 
stronger calculi with a type of all types, a fact which is used in giving meaning 
to universally quantified types. But by a result of Girard [14], such systems are 
inconsistent, when they are considered as logical calculi. 

In his paper [15], Girard produced an interesting new model in which types 
of the polymorphic lambda calculus are represented as certain kinds of objects 
called qualitative domains. In this construction types with free type variables, 
called “variable types” by Girard, are interpreted as nicely behaving functors 
on a category of these domains. The central observation was that the behaviour 
of such functors is already determined by what they do on finite qualitative 
domains. So he got rid of the circularity in the construction of universally quan- 
tified types. Building upon these ideas, Goquand, Gunter, and Winskel presented 
a domain model for the polymorphic lambda calculus in which types are inter- 
preted as dl-domains [7] and Scott domains [8], respectively. In the last model a 
universally quantified type is interpreted as a domain (considered as a category) 
of continuous sections of the Grothendieck fibration of a continuous functor. 

By using an observation of the present author, Gruchalski [17] showed that 
the construction of the Scott domain model can be simplified so that only 
domain-theoretic methods are used. Girard’s qualitative domains can be repre- 
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sented by certain graphs such that the usual domain constructions can be carried 
out directly on the graphs [16]. Using similar structures Berardi and Berline [3] 
managed to construct a large family of concrete models in a noncategorical way. 

A major drawback of the domain models is that the type Vt. t, which repre- 
sents absurdity in the logical calculus given by the type system, is interpreted 
by a nonempty set, which means that this semantics is not adequate when one 
wants to give meaning to the logic, known to be consistent. Moreover, even when 
one is only interested in the functional language, then one should be able to in- 
troduce some notion of computability in the model, which seems to be impossible 
at least in the case of the dl- and Scott domain model of Coquand, Gunter and 
Winskel. 

In the model we present in this paper types are interpreted as sets which 
are approximated by sequences of finite sets, more exactly, as inverse limits of 
w-cochains of finite sets. The points in these limits are certain sequences of ele- 
ments of the approximating finite sets. As morphisms in the new category SFS 
(Sequences of Finite Sets), which we are considering, we take those maps that 
can be represented as sequences of mappings which act locally on the approxi- 
mating finite sets and commute with the connecting projections of the chain. For 
any two sequences of elements of the approximating finite sets they preserve the 
longest initial segment in which these coincide. In the context of rank-ordered 
sets Bruce and Mitchell [5] called such maps rank-preserving. As it turns out, 
the constructors for products and exponents are itself rank-preserving. Note here 
that the objects in SFS are also sequences. Modulo some coding, a universally 
quantified type Vt. cr is then interpreted as the set of all rank-preserving sections 
with respect to the fibration of the rank-preserving constructor obtained from 
the interpretation of cr. 

The model can easily be turned into an effectively given one. Moreover, with- 
out any restrictions on the collection of finite sets used for approximation the 
empty set is an object of our category, which implies that the universally quan- 
tified type representing absurdity is interpreted by the empty set. Thus, the 
model not only gives meaning to the polymorphic lambda calculus viewed as a 
functional language but also when considered as a logical calculus. 

The construction of the model allows some variations. If, e.g., one requires the 
approximating finite sets not to be empty, the interpretation of Vt. t is nonempty, 
too. In case all the finite sets are To-spaces and the connecting projections are 
continuous, one obtains a model in which every type is interpreted by a directed- 
complete partial order (not necessarily with a smallest element). Note that in 
this case the morphisms have to be continuous as well. However, requiring the 
topology on the finite sets to satisfy stronger separation conditions will produce 
no further models, since a topology on a finite set which satisfies the Ti-axiom is 
already discrete. In general, one can consider any property of sets that is closed 
under the inverse limit construction. With respect to the canonical metric defined 
on sets of infinite sequences the spaces in SFS are complete ultrametric spaces. 
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Beside the polymorphic lambda calculus the category SFS can also be used to 
give meaning to other type systems. Here, we consider only the slight extension 
of the second-order lambda calculus studied by Bruce, Meyer and Mitchell [6] . 

Extensions of the polymorphic lambda calculus concern the kind structure 
built upon the type expressions of the calculus. Essentially, kinds are the “types” 
that appear in type expressions. The object set of the category SFS is a complete 
projection space. Projection spaces have been studied by Ehrig et al. [9,10,11,12] 
as a generalization of the projective model of process algebra of Bergstra and 
Klop [4]. They are a nonempty sets with a family of commuting projection 
functions. The projections assign a canonical sequence of approximations to each 
element of the set. With rank-preserving maps as morphisms the category of 
complete projection spaces is Cartesian closed. 

The paper is organised as follows. In Sect. 2 the syntax of the polymorphic 
lambda calculus is recalled and in Sect. 3 a modification of Bruce, Meyer and 
Mitchell’s notion of a second-order environment model is given which includes 
the case that types can be empty. In both cases we follow the presentation in 
[ 6 ]. 

The category SFS is considered in Sect. 4 and in Sect. 5 complete projection 
spaces are introduced. It is shown that the collection of all SFS objects is a com- 
plete projection space. Section 6 deals with representations in SFS of products 
of rank-preserving maps over the object set of SFS. In Sect. 7 the new model 
for the polymorphic lambda calculus is defined. Concluding remarks appear in 
Sect. 8. 



2 Syntax of the Polymorphic Lambda Calculus 
2.1 Constructors and Kinds 

Every term of the calculus we are going to consider has a type and every subex- 
pression of a type expression has a kind. The subexpressions of type expressions, 
which may be type expressions or operators like ^ and V, will be called con- 
structors. We will define the sets of kinds and constructor expressions before 
introducing the syntax and type checking rules for terms. 

We use the constant T to denote the kind consisting of all types. The set of 
kind expressions is given by 



K ::= r I Ki K2 ■ 

Let Vest be a set of variables u”, each with a specified kind. We assume that 
we have infinitely many variables for each kind. Moreover, let Cest be the set 
containing the function-type constructor constant ^ and the polymorphic-type 
constructor constant V. As usual, we write ^ as an infix operator and write Vt.cr 
for V(At.cr). The constructor expressions over Cest and Vcst> and their kinds, are 
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defined by the derivation system 

T ^ (T ^ T), V : (T ^ T) ^ T, u” : K 

fj, : Ki ^ K2 j V ■ Ki /i : K2 

fiiy : K2 ’ Af ”1 ./i : Ki K2 

A subset of the constructor expressions are the type expressions, the con- 
structor expressions of kind T. We use the following metavariables: r,s,t, . . . 
stand for arbitrary type variables and p,<j,T, . . . stand for arbitrary type expres- 
sions. As in the definition above, we will generally use p and u for constructor 
expressions. 

Since we have a “kinded” lambda calculus, there are many nontrivial equa- 
tions between types and constructors, which follow from the familiar axioms and 
inference rules of the ordinary simply typed lambda calculus. If /r = j/ is provable 
from the axioms and rules for constructors, we write \~c p = i'- The constructor 
axiom system will be used to assign types to terms, since equal types will be 
associated with the same set of terms. 

2.2 Terms and Their Types 

We write free variables without type labels. However, we always assign types to 
free variables using a technical device called context. 

Let Vterm be an infinite collection of variables. We will use the notation 
x,y, z, . . . for these variables. The set of pre-terms over variables from Vest and 
Vterm IS defined by 

M ■.:=x\ Xx: a.M \ MN \ At.M \ Ma , 

where x € Vterm, t is a type variable, and cr is a type expression over Cest and 
Vest- We will define the well- typed terms below. 

The type of a second-order lambda term will depend on the context in which 
it occurs. We must know the types of all free variables before assigning a type. 
A context T is a finite set F = {x \ : (Ti, . . . , Xfe : cfk\ of associations of types to 
variables, with no variable appearing twice in F . If x does not occur in a context 
T, then we write F,x: a for the context F,x: a = F U {x: a}. 

The typing relation is a three-place relation between contexts, pre-terms 
and type expressions. Let T be a context, M be a pre-term, and cr: T a type 
expression. We define F \- M: a, which is read “M has type a with respect to 
T,” by the derivation system below. The axiom about the typing relation is 

x: a \- x: a . 



The type derivation rules are 



H E) 

(VA) 



Fh M: a ^T, Fh N: a 
Fh MN: T 
T h M: V/x 
F \- Mt: pr' 



H I) 

(V/) 



F,x: a \- M : r 
F \- Xx: a.M : a 
F'r M:t 
F h At.M : Wt.T 



t not free in F 
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and two rules that apply to terms of any form 
r h M: T 



(add hyp) 



r,x: a \- M : r 



X not in F, (type eq) 



r \- M : a \~c <J = T 
r\- M: T 



We say that M is a term if F h M : a for some F and a. In writing F \- M-. a, 
we will mean that the typing F \- M : a is derivable. 



2.3 Equations between Terms 

Since we write terms with type assignments, it is natural to include type assign- 
ments in equations as well. By equation, we will mean an expression 

F'r M = N-.a , 

where F \- M : a and F \- N : a. Intuitively, an equation {a;i : ai, . . . ,Xk- (Jk} b 
M = N : a means, “if the variables x\,. . . ,Xk have types a\,. . . ,Uk, respectively, 
then terms M and N denote the same element of type a. 

The axioms and inference rules for equations between second-order lambda 
terms are similar to the axioms and rules of the ordinary typed lambda calculus. 
The main difference is that we tend to have two versions of each axiom or 
rule, one for ordinary function abstraction or application, and another for type 
abstraction or application. For lack of space we do not list the axioms and rules 
and refer the reader to [6] instead. 



3 Second-Order Environment Models 

Models for second-order lambda calculus have several parts: “kind frames” are 
used to interpret kinds and constructors and additional sets indexed by types to 
interpret terms. All these parts are collected together in what is called a frame. 
Models are defined as frames which satisfy an additional condition involving the 
meaning of terms. 

3.1 Semantics of Constructor Expressions 

Constructor expressions are interpreted using kind frames, which are essentially 
frames for the simply typed lambda calculus. A kind frame, Kind for a set Ccst 
of constructor constants is a tuple 

Kind = ({ Kind” | k a kind }, { I K2 kinds },I) , 



where 

Kind”i=^”" ^ [Kind”^ ^ Kind”"] 

is a bijection between Kind”i^”^ and some set [Kind”"^ ^ Kind”"] of maps from 
Kind”i to Kind”"', and 

X: Cost ^ U Kind” 
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preserves kinds, that is, I{d^) G Kind”. Since constructor expressions include all 
typed lambda expressions one is interested in kind frames which are models of 
the simply typed lambda calculus. 

Let 77 be an environment mapping constructor variables to IJ,^ Kind” such 
that for each u”, one has 77(7;”) G Kind”. The meaning |/i]^ of a constructor 
expression /i in environment 77 is defined as follows: 

Kl, = 77(7;”), 

Ic”]„=x(c”), 

where /(a) = for all a G Kind”. 

Here, rj[a/v^] is the environment that maps u” onto a and every other variable 
m” onto 77(77” ). 

Note that the above conditions do not entail that the map / is in the range 
of ^Ki,K2- Therefore, the meaning may not be defined for all constructor expres- 
sions. Kind is said to be a kind environment model for Ccst if every constructor 
expression over Ccst has a meaning in every environment for Kind. 

3.2 Frames and Environment Models 

As in the definition of a kind environment model, first a structure, called frame, 
is defined and then models are defined by distinguishing frames which inter- 
pret all terms from those that do not. Second-order frames include versions 
of the maps now indexed by types, plus an additional collection of such 
maps for polymorphic types. Intuitively, a polymorphic term At.M denotes a 
map from the set of types to elements of types. More precisely, the meaning of 
At.M is regarded as an element of the Cartesian product fo'' 

some map /: Kind^ ^ determined from the typing of M. Therefore, for every 
map / G Kind^^^, a second-order model has a map mapping Dom'^^f^ to 
some subset [.HaeKind^ Dom-ffo^] of Here V(/) denotes the el- 

ement ^t=>t,t(T(V))(/) of Kind^. In the same way we write a ^ b to mean 
^t,t(^t,t^t(T(^))(o))( 6) in the next definition. 

A second-order frame T for terms over constants from Ccst is a tuple 

T = [Kind^ Dom, { 'f'a.h \ a,b G Kind^ }, { S'/ | / G Kind^^^ }) 
satisfying conditions (1) through (4): 

1. Kind = ({Kind”}, is a kind frame for Ccst- 

2. Dom = { Dom“ | a G Kind^ } is a family of sets Dom“ indexed by elements 
a G Kind^. 

3. For each a, 6 G Kind^, there is a set [Dom“ ^ Dom^] of maps from Dom“ 
to Dom^ with bijection dTa,b' Dom®^** ^ [Dom“ ^ Dom^]. 

4. For every / G Kind^^^^i, there is a subset [iT^gKind^Hom-i'foi] of 
TT^gKind^Hom-i'foi with bijection 'Ff. Dom'^^^i ^ [TT^gj^ijjjTDom-i'foi]. 
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Essentially, condition (3) states that Dom®^** must “represent” some set 
[Dom“ ^ Dom^] of maps from Dom“ to Dorn**. Similarly, condition (4) specifies 
that Dom'^^-^) must represent some subset [iT^jg^ind^Dom-^^^^] of the product 

-^aeKind^Dom^(“). 

Note that since in the model we are going to construct types are allowed to 
be empty, in what follows environments are partial maps mapping variables in 
Vest U Vterm to Certain values which are defined for all elements of Vcst> but need 
not be defined for all ordinary variables. 

Terms are interpreted using S^’s for application and for abstraction. 

Since different S' and maps are used, depending on the types of terms, the 
type of a term will be used to define its meaning. If T is a context and 77 an 
environment mapping Vest to elements of the appropriate kinds and Vterm to 
elements of IJ { Dom“ | a € Kind^ }, one says that 77 satisfies T, written 77 ^ T, 
if for every x: a € F, rj{x) is defined with 

ri{x) G Dom^‘^1''' , 

in case Doml'^I’’ is not empty, and rj{x) is undefined, otherwise. 

Let IF be a second-order frame. For any well-typed term F \- M : a and 
environment 77 ^ F the meaning |F h M: cr],, is defined by induction on typing 
derivations. The inductive clauses of the meaning function are given in the same 
order as the typing rules in Sect. 2.2, with rules E), I), (VF), and (V/) 

preceding rules (add hyp) and (type eq) which do not rely on the form of terms: 

{F\-x: ajr, = riix), 

|r h MN: r]„ = F,.fc(|r h M: a ^ r],,)(|r h N : aj^), 
where a = and b = |r],;, 

|r h Ax: a.M : cr ^ t],, = where a = |cr],„ b = |t],, and 

g{d) = lF,x: a \~ M : T]^[d/a;] for all d G Dom“, 

|r h Mt: = F/(|r h M : V/7],,)(|Tlr,), where / = 

|F h At.M : yt.aJjj = Ffi^{g), where / G Kind^^^ is the map |At.(j],; and 
g{a) = |r h M: for all a G Kind^, 

|r, x: cr h M : r],, = |F h M : r],,, where the left-hand typing follows from 
the rule (add hyp), 

|F h M: rjr) = |F h M : cr],,, where the left-hand typing follows by rule 
(type eq). 

It is relatively easy to see that the environments on the right-hand sides of these 
clauses all satisfy the appropriate contexts (cf. [6]). 

In the above definition of meaning, there is no guarantee that the map g in 
the Ax: a.M case is in the domain of and similarly for the map g in the 
At.M case. A second-order frame 

T = {Kind, Dorn, { Fa^b \ a,b G Kind^ },{Ff \ f G Kind^^^ }) 
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is an environment model if Kind is a kind environment model and for every term 
r \- M : a and every environment ij \= F, the maps g in the Xx: a.M case and 
g in the At.M case, respectively, of the definition of the meaning {F \- M : aJjj 
are in the domains of and 

It is easy to check that the meanings of the terms have the appropriate 
semantic types: 

Lemma 1. Let rj be an environment for a model (Kind,Dom, {^a,b}, {^f}) and 
F \- M : a he a term. If rj \= F and Dorr^'^^'^ is not empty, for every x: t G F 
such that X occurs free in M , then \F\- M-. cr]^ G Donr^'^^'' . 

The only nontrivial case is abstraction by rule I). Since we assume that 
F \- Xx a.M : a ^ T follows from F,x: a \~ M : t, we have to distinguish the 
cases whether DomI®’!'' is empty or not. The second case is obvious and in the 
first case we have that the map g is the empty map, which is the only map from 
Domf'^I'' to Doml'^l’'. 

As in [6] it moreover follows that the meaning of a well-typed term F \- M : a 
does not depend on the derivation of the typing. 

An environment rj \= F for model T satisfies an equation F \- M = N : a, if 
|r h M: cr]^ = |T h Al: a\r^. A model F satisfies an equation F \- M = N: a, 
if F and r\ satisfy F \- M = N : a for all ry ^ T. In the same way as in [6] one 
obtains that the axioms and inference rules presented in Sect. 2.3 are sound for 
environment models. 

Proposition 1 (Soundness). Let F \- M = N: a be a provable equation. Then 
F \~ M = N: a is satisfied by every environment model. 

4 Sequences of Finite Sets 

4.1 Basic Definitions 

The objects by which we will interpret types in the model we are going to present 
are inverse limits T of w-cochains Tg T\ 4^ T 2 4 ^ • • • of finite sets F of 
natural numbers such that for every z > 0 either Ti is empty and pi-i is the 
empty map, or F is not empty and pi-i is surjective. The elements of such a 
limit are sequences {yi)i£ui with z/j G F such that yi = pfiyi+i). If x gT then 
we denote the zth element of the sequence by Xi. 

It should be observed that if for some index z the finite set F in the cochain 
is empty, then for all j > i the sets Tj and hence the limit T must be empty as 
well. 

At first sight, the restriction to subsets of uj seems to be an unnecessary 
complication of the construction. The reason for it will become clear later. As a 
consequence of this restriction an encoding of the objects obtained is necessary 
after most of the construction steps. But in order to make the construction more 
transparent, we only indicate in the following how the encoding has to be done 
and then suppress it as much as possible. So, e.g., we always identify a finite 
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object with its code. Moreover, we write to indicate that not the set {. . .} 

but the set of codes of its elements is meant. 

Let (,..., ) : w" ^ w be a computable n-tuple encoding with decoding func- 
tions 7 t" (1 < i < n) which is monotone in each argument. Moreover, let D be 
a canonical coding of finite sets of natural numbers (cf. [24]). If A, A' , B and 
B' are finite sets of natural numbers and p: A ^ B and p' : A' ^ B' are finite 
functions, then 

A A' = { {a,a') | a G 2 I A a' G A' } 
and p x'^ p' : Ax'^ A' ^ B x‘^ B' is the function defined by 

p x>'((a,a')) = {p{a),p'{a')) . 

A finite function g: A^ B is coded by the number {n,a,b), where n, a, and b 
are such that Da = A, Dh = B, and = { {d, e) | g{d) = e }. Obviously, the 
value of the function for an argument can easily be obtained from the code. 

The morphisms we will consider are such that the degree of coincidence 
between any two sequences in their domain is preserved. 

Definition 1. Let T and T' be inverse limits of to -cochains. A map f : T T' 
is said to be rank-preserving if for all x, y G T and all i G ui the following 
condition holds: 

~ Vi ^ /(^)i ~ f{y)i • 

As follows from the definition a rank-preserving map is determined by its 
behaviour on the finite approximation of its domain space, i.e. by its own finite 
approximations. Note that in the context of rank-ordered sets the given definition 
is equivalent to the one given by Bruce and Mitchell [5]. In the case of projection 
spaces maps with this property are called projection compatible (cf. [9]). 

Let SFS be the category which has as 

— objects inverse limits T of w-cochains Tq T\ JAl— T 2 ■ ■ ■ of fi- 

nite sets Ti of natural numbers such that either Ti+\ is empty 
and Pi is the empty map, or is not empty and pi is sur- 
jective, and as 

— morphisms rank-preserving maps. 

We denote its object set by SFS and for any two objects T and T' the set of all 
morphisms from T to T' by SFS[T, T'j. The empty set as inverse limit of the 

cochain 0 0 • • • is obviously initial in this category and the inverse limit 

of the cochain {z} <— {z} <— • • • is terminal, for any i G ui. 



4.2 Product and Exponentials 

The product is defined componentwise. Let T, T', T", and T'" be SFS objects 
such that T and T', respectively, are the inverse limits of the cochains Tq 
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Ti 4 ^ T2 4^ • • • and Tg 4^ T{ 4^ • • • • Construct a new cochain 

T- ^L... by setting 

T/=T, x"T;' and p^=p,x^p'^ 

and define T ®T' to be its inverse limit. We denote elements of T 0 T' by 
<^x,x'^ with X gT and x' G T' . Let pr(^a;,a;'^) = x and p/(^a;,a;'^) = 
x' . Moreover, for two morphisms / G SFS[T, T"] and g G SFS[T',T"'] let 
{f ®g){<^x,x'^) = <S^f{x),g{x')^. Then pr, p/ and are rank-preserving. 
Obviously, one obtains a product in SFS by this means. So, the category is 
Cartesian. 

Next, we want to show that SFS is also Cartesian closed. To this end we first 
show that the function space can itself be represented as an inverse limit of an 
w-cochain of finite sets of natural numbers. Let to this end pij = pj o ■ ■ ■ 
for j < i. The idea is to represent a rank-preserving map from T to T' by a 
sequence of locally acting functions from Ti to T[. Set 

m - T'] = 

{h\Ti^T[\ {yy,ze Ti)(yj < i)[pij(y) = p^j{z) Pij{h{y)) = p'//i(z))] Y 

and define qi : [Ti+i - T'+i] - m ^ Y] by 

qi{h){y) = pYHY) , 

for some z G Pi^{{y})- Obviously, the value of qi{h){y) is independent of the 
choice of z. Moreover, qi is surjective. 

[Ti T/] is a set of codes of finite functions. Note that in the definition of qi 
we omitted the corresponding coding and decoding functions and dealt with the 
finite functions directly, according to what has been said earlier that we identify 
finite objects and their codes. 

Let [T ^ T'] be the inverse limit of the cochain {\Ti Tl],qi)i^^. There is 
a one-to-one correspondence between SFS[T,T'] and [T ^ T']. As it is easily 
seen, both sets are not empty exactly if T' is not empty or both T and T' are 
empty. In this case define 0t,t'- SFS[T,T'] ^ [T ^ T'] by letting 0 T,T'{f)i 
be the (code of the) finite function that maps y G Ti to f{z)i, for some z G T 
with y = Zi- Since / is rank-preserving, this definition is independent of the 
choice of 2 and the condition in the definition of \Ti T/] is satisfied. Moreover 
qi{OT,T'{f)i+i) = OT.T’{f)i- Thus 0 T,T'{f) G [T ^ T']. Conversely, define 
Tt,t' ■■ [T ^ T'\ SFS[T, T] by 

'^T,T'{g)(.x)i= gi{xi) . 



Since 

p'i{m+i{xi+i)) = q^{gi+l){Pi{x^+l)) = g^{xi) , 

we have that Tt.t'{9){x) G T'. Moreover, TT,T'{g) is rank-preserving. As is 
readily verified, both maps 0 t,t' and Tt,t' are inverse to each other. 
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Proposition 2. For all T,T' G SFS, the map Ft.t' is a bijection from [T ^ 

T'] ontoSFS[T,T']. 

We will now show that [T ^ T'] is the exponent of T and T' in SFS. Define 
eval G SFS[[T ^ T] ® T, T] by 

eval(<g,a;>) = iFT,r'(fl')(a;) , 

where g € [T ^ T'] and a; G T, and curry: SFS[T (g) T', T"] ^ SFS[T, [T' => 
T"]] by 

curry(/)(x),(y) = 0T0T',T"{f)i{{x^,y)) , 

for / G SFS[T (g) T',T"], £c G T, and y G T^. Then one has for h G SFS[T (g) 
T',T'], k G SFS[T, [T' =» T"]], a; G T, and G T that 

(evalo(curry(/i) (g) idy/))(<£c, 2 ; >)* = eval(<C curry(/i)(a;), 2 ; »)j 

= FT\T"{c\XYYy{h){x)){z)i 
= curry(/i)(a;)i(2j) 

= 0T®T\T"{h)i{{Xi,Zi)) 

= 

and 



curry(evalo(fc ® idj,,)){x)i{zi) = Ot^t' ,T"{evalo{k (g> id j,,)) i{{xi, Zi)) 

= eval{k (g) idy/(<Ca;, 2 ; >))* 

= eval(<fc(£c), 2 :>)i 

= 1'T',T"{k{x)){z)i 

= k{x),{zi) . 

Summing up what we have shown so far we obtain the following result. 

Theorem 1. The category SFS of inverse limits of uj- cochains of finite sets of 
natural numbers and rank-preserving maps is Cartesian closed. 

Thus, the category SFS gives rise to a model of the simply typed lambda 
calculus, even to a model of an extension of this calculus by explicit pairs (cf. 
[ 2 ]). 

5 Complete Projection Spaces 
5.1 Basic Definitions 

In this section we study the structure of SFS. As will turn out, SFS is a complete 
projection space. We have already seen that the usual constructions on SFS 
are rank-preserving. With rank-preserving maps as morphisms the category of 
complete projection spaces is Cartesian closed. 
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Definition 2. Let P he a nonempty set and he a family of maps from 

P into P. 

1. {P, is a projection space, if for all i, j G to 

[■]* ° [']i “ ['Iminfij'} ■ 

2. {P, is complete if for any sequence from P with Xi = [xi+i]i, 

for i G CO, there is a unique element x G P such that for all i, Xi = [x]i. 

For i G CO set Pi = {x G P \ X = [a;]i }. 

Projection spaces have been studied by Ehrig et al. [9,10,11,12] as a gener- 
alization of the projective model of process algebra by Bergstra and Klop [4]. 
Bruce and Mitchell [5] considers a subclass of complete projection spaces, called 
rank-ordered sets, which are such that the map [-jo projects the whole space onto 
a distinguished element _L. 

The mapping [-ji can be thought of as a map that takes an element x to its 
tth approximation. In the case of an inverse limit T G SFS the ith approximation 
jjijSFS jg inverse limit of the cochain 

rj-> PO rri Pi rri P2 Pi — 1 rri Pi rri Pi+1 

io ^ 1 1 ^ 12 ^ • • • ^ li ^ li ^ • • • , 

with pj = idy. , for j > i, which is one-to-one correspondence with T^. 

Proposition 3. (SFS, is a complete projection space. 

Note that each projection space P is the inverse limit of the cochain {Pi, [-ji [ 
but the sets Pi need not be finite. As is readily verified, a map 
F : P ^ Q between projection spaces P and Q is rank-preserving exactly if for 
all a; G P and all i, j G co with j > i, [F{[x]^)]f = [P(a;)]^. 

Let CP be the category which has as 

— objects complete projection spaces and as 

— morphisms rank-preserving maps. 

We denote the object set by CP and for any two objects P and Q the set of all 
morphisms from P to Q by CP [P, Q] . 

5.2 Products and Exponentials 

Products in the category of complete projections spaces are formed as Cartesian 
products P X Q with projections [-jf given by 

[{x,y)]f = {[x]r,[y]f) . 

Exponentials are the sets CP[P, Q] of all rank-preserving maps F: P ^ Q. De- 
fine projections [-jj^ by 



[p]r(x) = [p(a:)]f . 
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Then CP[P, Q] is a complete projection space again. Moreover, let Eval and 
Curry be given in the usual way, that is, for F G CP[P, Q], G G CP[P x Q,R], 
X G P and y G Q let 

Eval(P, x) = F{x) , 

Curry(G)(a;)(y) = G{x,y) . 

ThenEvalG CP[CP[P, Q] x P, g] and Curry G CP[CP[PxQ,R],CP[P,CP[Q, 
R]]]. 

Obviously, (P x Q)i = Pi x Qi and CP[P,Q]i = {F-. K L \ (Vx G 
P)P(x) = [P([x]f)]f}. 

Theorem 2. The category CP of complete projection spaces and rank-preserv- 
ing maps is Cartesian closed. 

6 The Product Type Construction 

Let P : SFS ^ SFS be rank-preserving. We call F a parameterisation. A map 
/: SFS ^ I T G SFS} is a section of F if /(T) G P(T), for all 

T G SFS. 

Definition 3. Let F he a parameterisation. A section f of F is rank-preserving 
if for all T,T' G SFS and all i G u> the following condition holds: 

= [T']fFS /(T), = f{T% . 

We would like to interpret Vt.cr by the set of all rank-preserving sections of 
the parameterisation associated with cr. This set can be represented as an inverse 
limit of sets, in the same way as the morphism set SFS[T, T'], but in general 
the approximating sets are not finite, as the sets SFSi are not finite. Therefore, 
we construct a set which is an inverse limit of an w-cochain of finite sets and is 
in a one-to-one correspondence with the set of rank-preserving sections of this 
parameterisation . 

Let P be a parameterisation. Then the idea is the following: In order to know 
P(T) we have to know its approximations F{T)i, which depend only on the 
approximation Tj for j < i, since P is rank-preserving. Thus, instead of taking 
a product over all T G SFS it suffices in the ith approximation to consider the 
product over all finite cochains 

ry-i PO rj~\ Pi Pi — 1 rji 

J -0 ^ 1 ^ ' ' • ^ • 

Each such cochain is uniquely determined by the sequence (po> • • • ,Pi-i) of pro- 
jections. Let 

Seq ={ cr I (T = (po, . . . ,p„) A (Vj < n) dom{pj) = range(pj+i) } 
and for a G Seq define Ext (cr) to be the inverse limit of the cochain 

rj-i QO rj-i rj-i *?2 Qi — 1 rj-i Qi rj-i 9i + l 

1q < ±2 < li< iz+1 ^ ••• , 
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with Ti = range(pi), for i < n, and Ti = dom(p„), otherwise, and qi = Pi, for 
i < n, and Qi = otherwise. Then Ext((r) is in bijective correspondence 

with dom(p„). 

One can easily construct an onto and one-to-one enumeration seq : uj Seq 
of Seq such that lth(seq(m)) < m + 1, where lth(seq(m)) is the length of 
the sequence seq(m). This can e.g. be achieved by enumerating the sequences 
(poj ■ ■ ■ ,Pi) such that both i and all elements in the domains and ranges of the pj 
U < *) are bounded by n ahead of those sequences {po, . . . ,pi) such that i and the 
elements in the domains and ranges of the pj (j < i) are bounded by n -1-1. Define 
n<„F to be the set of all (oq, . . ■ , a«) with a™ G F(Ext(seq(m)))ith(seq(m))-i, for 
all m < n, such that the following consistency condition holds: for all toi , m 2 < n 
with mi yf m 2 , if the sequence seq(m 2 ) extends the sequence seq(mi) then 



_ „^^(Ext(seq(m2))) / , J-iaxz(seqim2)))f nx n 

™i “ Plth(seq(mi))-1 V ' ' lPlth(seq(m 2))-2 b ' ' ' 1 ■ 



F(Ext(seq(?Ti2))) / 



Moreover, let p^^ ■ 77<„+iE ^ n<nF be the projection onto the (coded) first 

n+1 components and define UF to be the inverse limit of the cochain (iT<„F, 
„nF\ 

Pn )n>0- 

In the finite approximations oi UF the information about the finite approx- 
imations of the values under F is collected. Every t £ UF contains the informa- 
tion about the behaviour of F on all finite approximating cochains. In order to 
obtain a value in F{T) for some object T, the type application function Apply 
has thus to single out the necessary information from t. To make this idea precise, 
let init(T, i) be the uniquely determined number m with seq(m) = (p^, . . . ,pj). 
Then set 

Apply(t,T)i = <“t‘(T,’i)(^init(T.q) ■ 

In order to obtain the ith approximation of Apply (f,T), we need to compute 
^init(T,i)) e ^<init(T,i)^- Then tinit(T,2)) IS an (init(T,i) + l)-tuple and 



By the definition of init(T, i), lth(seq(init(T, i))) = i+1. Moreover, we have that 
Ext(seq(init(T, z))) is the w-cochain Tq ^ T\ ^ ^ Ti ^ Ti+i ^ ^ . 

Since F is rank-preserving, it thus follows that 



fo(I^fo(®^Q(foIl(^A))))lth(seq(init(T,'i)))— 1 F(T')i . 



Hence, Apply(t,T) G F{T). 

Proposition 4. Let F be a parameterisation. Then the following two statements 
hold: 

1. For every t G II F, the map AT.Apply(t, T) is a rank-preserving section of 
F. 

2. The map Fp\ t AT.Apply(t, T) is bijection from II F onto the set of all 
rank-preserving sections of F. 
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Statement (1) follows as the foregoing remark. For the proof of (2) let / be 
a rank-preserving section of F and define 

OpiDn = (/(Ext(seq(0)))ith(seq(o))-i, • ■ • . /(Ext(seq(n)))ith(seq(n))-i) • 

Then a straightforward calculation shows that G FIF. In addition, Op 

and Fp are inverse to each other. 

Because of the property that always lth(seq(m)) < m -I- 1 we moreover have 
that IIF depends on F G CP[SFS, SFS] in a rank-preserving way. 

Proposition 5. 77 G CP[CP[SFS, SFS], SFS]. 

7 Semantics of the Polymorphic Lambda Calculus 

Set Kind^ = SFS and for kind expressions ki, K 2 define Kind”^^”^ = 
CP[Kind'^b Kind"^^]. Moreover, let ^ki,k 2 be the identity on this set. Finally, 
for T,T G SFS and F G CP[SFS, SFS] ’set 

X(^)(T)(T') = [T ^ T'] and T(V)(F) = 7TF . 

Then Kind = ({ Kind"^ j k a kind }, { ^ki,k 2 I 1^2 kinds },X) is a kind environ- 
ment model. 

Lemma 2. For any constructor expression pi, any constructor variable occur- 
ring free in pi and any environment rj mapping constructor variables to elements 
of the appropriate kinds the map Aa G Kind'^.|/i]^[a/„,«] is rank-preserving. 

The proof proceeds by structural induction. Note hereto that for projection 
spaces P and Q and rank-preserving maps F: P ^ Q, [F{a)^ = [F]~* ([a]f ). 

Next, for T,T G SFS and F G CP[SFS,SFS], set Dom’^ = T and let the 
maps Fx.t' and Fp, respectively, be as in Sects. 4.2 and 6. Then it follows with 
Propositions 2 and 4(2) that 

7^ = {Kind, SFS, { Ft,t' \T,T g SFS },{Fp\FG CP[SFS, SFS] }) 

is a second-order frame. 

Theorem 3. TZ is an environment model. 

One has to verify that the maps g in clauses (3) and (5), respectively, of the 
extension of an environment to terms are in the domains of Fj. j./ and Fp. 



8 Final Remarks 

In this paper a new model for the Girard-Reynolds second-order lambda calculus 
is presented, which is not based on domains. This is in accordance with Reynolds, 
who argued in [22] that “types are not limited to computation” and that “they 




A New Model Construction for the Polymorphic Lambda Calculus 



291 



should be explicable without invoking constructs, such as Scott domains, that 
are peculiar to the theory of computation.” 

The model allows empty types. As a consequence of this, the type Vt. t is 
interpreted by the empty set, which entails that it is also a model of the logic 
associated with the type structure of the calculus. This is not the case with 
domain models. 

The model is simple and constructive. 
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1 Introduction 

In 1941 Church [2] introduced the lambda-delta calculus in an untyped context. 
The purpose of this note is to investigate Church’s calculus in a simply typed 
setting and to establish the fundamental properties of this calculus. Toward 
this end we add to classical type theory a conditional d (definition by cases 
functional) at all finite types A ^ {A ^ {B ^ {B ^ B))). This functional 
(IF- THEN-ELSE) is defined by the non-equational condition 

y/y xyuv. {x = y ^ dxyuv = uSz ~ a; = y dxyuv = v). 



2 Preliminaries 



Simple types are built up from 0 by For each pair A,B of simple types we 
introduce a new constant 



d-.A^ {A^ {B^{B^B))) 

satisfying the defining condition 

/y xyuv. {x = y ^ dxyuv = uh ~ a: = y dxyuv = v) 

We shall fix a formulation of type theory in the language with /\, =^, = and A 
(lambda). In particular, K = Xxy.x and K* = Xxy.y. We define FALSE := K = 
K* and ~ A := A FALSE. For terms we adopt the simply typed lambda 
calculus with beta-eta conversion; 



{Xx.X)Y = \Y/x\X (beta) 

Xx.{Xx) = X{x not free in X) (eta) 



X = U Y =V 



XY = UV 



(application) 
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X = y 



Xx.X = Xx.Y [x not free in 

any assumption 



(abstraction) 



X = X (identity) 

X = Y Y = Z (transitivity) 

X = Z 



X = Y 



Y = X 



(symmetry) 



and for logical rules we adopt the natural deduction rules /, ^ E, /\ /, /\E 
and the classical rule 

hx = y] 



FALSE 
X = Y 


(~ rule) 


viz 




[^] 




B 

A=> B 


K I) 


A^ B A 

B 


K E) 


A 

f\x.A (x not free in any 
assumption) 


(A I) 




(AE) 



[X/x] A 

The following identities are easily proved using the above together with the 
defining condition for d; if x, y : A and u,v : B 



f\ xyuv dxxuv = u 


(identity) 


f\ xyu dxyuu = u 


(reflexivity) 


A xyuv dxyuv = dyxuv 


(symmetry) 


A xy dxyxy = y 


(hypothesis) 


and in addition if x,y : A u^v : {{B - 


{B ^ B)) — > B and w : B ^ C then 
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f\xyuv dxy{u{dxy)){v{dxy)) = dxy{uK){vK*) (transitivity) 

f\xyuvw w{dxyuv) = dxy{wu){wv) (monotonicity) 

The reader should compare this to [1]. If B = B1 ^ . {Bb ^ 0) . . .) then for 

x,y \ A, u,v : B, and zi : Bi for i = 1, .. . , 6 we have in type theory 

d = XxyuvXzl . . . zb. dxy{uzl . . . zb){vzl . . . zb). 

Thus, it suffices to have only d with B = 0 since the others are definable. We 
shall assume that this is true below. We can also make some simplifications in 
deductions. 

In particular, we can always assume that in the ~ rule the equation X = Y 
is between terms of type 0 since higher type equations can be replaced as follows 

X = Y X = X 

r^Xx = Yx Xx = Yx 

L = R 
\^X = Y] 

D 

L = R 
Xx = Yx 

Xx.Xx = x Xx.Xx = Xx.Yx Xx.Yx = Y 

X = Xx.Xx Xx.Xx = Y 

X = Y. 

3 Systems 

DELTA = classical type theory + beta-eta conversion + 
the defining equation for d for all types A 
DELTA(n) = classical type theory + beta-eta conversion -|- 

the defining equation for d for types A with rank (A) < n -I- 1 
Delta = beta-eta conversion -|- the axioms of identity, 
reflexivity, symmetry, hypothesis, transitivity 
and monotonicity for d for all types A 
Delta(n) = beta-eta conversion -|- the axioms of identity, 
reflexivity, symmetry, hypothesis, transitivity, 
and monotonicity for d for all types A with rank(A) < n -I- 1 

h refers to provability in classical type theory. 

I— > refers to equational provability. 



hA = E] 
D 

L = R 
X = Y 
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When using the axioms of DELTA and Delta it is convenient to take all 
instances of the axioms instead of the universally quantified axioms. The univer- 
sally quantified axioms can be inferred by /\ / since axioms are not assumptions 
and the variable restriction is therefore met. 

4 Conservation of DELTA over Delta 

We begin by showing that Delta gives a finite (schematic) equational axiomati- 
zation of the equational consequences of DELTA. 

Recall that a natural deduction is normal if it has no /\ / immediately fol- 
lowed by a /\ if and no / immediately followed by an E. Define the relation 
of reduction between deductions by 
D 



A 


red. 


[X/x\ ( D ) 




f\xA 




[X/x]A 




[X/x]A 








[A] 






D2 


D\ 








B 


D2 


red. 


D\ 








B 



B A 



B 



Proposition 1 (Prawitz) : Every reduction sequence of deductions 
terminates in a unique normal deduction 



Proposition 2: 



Delta, dxyuv = v, 
Delta, dxyuv = v, 
Delta, dxyuv = u, 
Delta, dxyuv = v, 
Delta, dxyuv = v, 
Delta, dxyuv + u, 
Delta, dxyKK* = K 



duvwz = z 
dxyvw = w 
dxyvw = v 

dxyab = b 
dxyab = a 



dxywz = z 
dxyuw = w 
dxyuw = u 
dxyvu = u 
dxy{ua){vb) = vb 
dxy{ua){vb) = ua 
x = y 



Delta, d{dxyKK*){K*){K){K*) = {K*) ^ x = y 



For sets S of equations and negations of equations. Define x^y dxyKK* = 
K* and S* be S with each negation ^ X = Y replaced by X^Y. If I? is a 
natural deduction define depth(I?) and length(D) as follows. If D is an axiom 
of assumption then depth (D) = length (D) = 0. If 

£) = D{1) . . . D{n) 
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A 

for i? some rule of inference then 

length(D) = 1 + length(Z?(l))+ = . . . + length(I?(n))and 
depth(D) = 1 + max{depth(_D(l)), . . . , depth(D(n))} if i? is a 

one of the logical rules I, =^, A, Aif, ~ and 
= max{depth(D(l)), depth(Z?(n))} otherwise 

Lemma 1: 

(1) If there is a deduction of X = V from DELTA, Delta, S U (U = V) which is 
normal and depth < n + 1 then there is a deduction of dUV XY = Y from 
DELTA, Delta, S which is normal and depth < n + 1. 

(2) If there is a deduction of X = Y from DELTA, Delta, S' U (~ C/ = E) which 
is normal and depth < n + 1 then there is a deduction of dUV XY = X from 
DELTA, Delta, S which is normal and depth < n + 1. 

PROOF: The proof is on the ordinal number ord(D) = omega * depth(D)+ 
length(_D) of the normal deduction D. 

Basis: ord(D) = 0. 

(1) X = Y is an axiom, a member of Delta or a member of SU (U = V). In case 
X = E is an axiom, a member of Delta, or a member of S then we have the 
following deduction: 

dUVY = dUVY X = Y 

dUVXY = DUVYY dUVY Y = Y 

dUVXY = Y. 

In case X = Y is U = V we have that dUVUV = E is in Delta. 

(2) X = Y is an axiom, a member of Delta, or a member of S. We have the 
following deduction: 



A = E 

dUVX = dUVX Y = X 

dUVXY = dUVXX dUVXX = X 

dUVXY = X. 



Induction step; ord(D) > 0. 

Case I: D ends in ~ 

hX = E] 

D= 

L = R 



X = Y 
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(1) By induction hypothesis there is a deduction of dXYLR = L from DELTA, 
Delta, SU{U = V) which is normal and depth < n. Thus, there is a deduction 
of dXYXY = X from DELTA, Delta, A U (C/ = V) which is normal and 
depth < n. Thus, there is a deduction of X = Y from DELTA, Delta, 
S U {U = V) which is normal and depth < n. Thus, by induction hypothesis 
there is a deduction of dUV XY = Y from DELTA, Delta, S which is normal 
and depth < n < n + 1. 

(2) Similar to (1). 



Case 2: D ends in E. The first possibility \s D = 

~ Z{1) = Z{2) ^ dZ(l)Z(2)Z(3)Z(4) = Z{4) ~ Z(l) = Z{2) 



dZ{l)Z{2)Z{Z)Z{A) = Z{Y) 



with X = dZ{l)Z{2)Z{‘i)Z{4) and Y = Z{A). We distinguish two subcases. 



Subcase 1: D" ends in I. Say D'~ = 

[Z(l) = Z{2)] 

D" 

L = R 

^Z{1) = Z{2). 



(1) By induction hypothesis there is a deduction of dZ{l)Z{2)LR = R from 
DELTA, Delta, S U {U = V} which is normal and depth < n — 1. Thus, 
there is a deduction of dZ (1) Z (2) Z (3) Z (4) = Z{4) from DELTA, Delta, 
S' U {[/ = V} which is normal and depth < n — 1. We have the following: 
Thus, by induction hypothesis there is a deduction of dWZLR = R from 
DELTA, Delta, S which is normal and depth < 2. Thus, by proposition 2 
there is a deduction of dUVXY = Y from DELTA, Delta, S which is normal 
and depth < n + 1 . 

(2) Similar to (1) 

Subcase 2; D" is empty. In case ~ Z{1) = Z(2) belongs to S we have 
(1) the deduction 

D 

dUVX = dUVX X = Y 



dUVXX = dUVXY 



dUVXY = dUVXX dUVXX = X 



dUVXY = Y 
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(2) Similar to (1). 

In case ~ ^(1) = ^(2) is ^ U = V and we are in (2). We have the following 
member of Delta (instance of transitivity). 

dZ(l)Z(2)(dZ(l)Z(2)Z(3)Z(4))Z(4) = dZ(l)Z(2)Z(3)Z(4). 

The only other possibility is D = 

^w = z w = z 



L = R. 

(1) By induction hypothesis there is a deduction of dUVWZ = Z from DELTA, 
Delta, S which is normal and depth < n. In addition, there is a deduction of 
dWZLR = R from DELTA, Delta, S which is normal and depth < 2. Thus, 
by Proposition 2, there is a deduction of dUVXY = Y from DELTA, Delta, 
S which is normal and depth < n + 1. 

(2) We distinguish two subcases. 

Subcase 1: ~ C/ = E is ^ W = Z. 

By induction hypothesis there is a deduction of dUVUV = U from DELTA, 
Delta, S which is normal and depth < n. Thus, there is a deduction of 
U = V from DELTA, Delta, S which is normal and depth < n. Thus, there 
is a deduction of dUVLR = L from DELTA, Delta, S which is normal and 
depth < n + 1. 

Subcase 2: Otherwise. 

By induction hypothesis there is a deduction of dUVWZ = W from DELTA, 
Delta, S which is normal and depth < n. In addition, there is a deduction of 
dWZLR = R from DELTA, Delta, S which is normal and depth < 2. Thus, 
by proposition 2 there is a deduction of dUVLR = R from DELTA, Delta, 
S which is normal and depth < n + 1. 



Case 3: D ends in one of the rules of equality or beta-eta conversion. 
These cases follow from Proposition 2. 

End of Proof. 



Proposition 3: 

DELTA, SU{U=V}hX = Y^ Delta, S* ^ dUVXY = X 
DELTA, S' U {~ [/ = E} h A = r Delta, S* ^ dUVXY = X 

From Proposition 3 we obtain 

Theorem 1 : DELTA h A = E 
Delta A = E. 
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5 Reduction of DELTA to Delta 

Next we combine III with a well known reduction of type theory to equations to 
give a reduction of typed logical reasoning to typed equational reasoning. 

If A is an equation X = V we put A[L] = X and A [i?] = Y. We translate 
statements of type theory into equations by the operation + as follows 
{X = Y)+ :=X = Y 

{A ^ B)+ := d{A + [L]){A + [R]){B + [L]){B + [i?]) = B + [R] 
l/\ xA)+ := \x.A + \L] = \x.A + [i?] . 

Proposition 4: DELTA h A A+. 

We obtain the following: 

Corollary: DELTA h A Delta A+. 

Proposition can be improved given certain consequences of the axiom of 
choice; in particular, the existence of extensionality functionals. 

For each pair C, D of simple types we introduce a new constant e : {C 
D) ^ {{C ^ D) ^ C) satisfying the “defining” condition 

f\xy. x{exy) = y{exy^x = y. 

Given the “defining” condition for e and A = C ^ D we can define d : A ^ 
(A ^ (0 ^ (0 ^ 0))) from d : C ^ (C ^ (0 ^ (0 — > 0))) by the term 

Xxy. d{x{exy){y{exy)) 

and derive the defining condition for d : A ^ (A ^ (0 ^ (0 ^ 0))). Moreover, 
the “defining” condition for e follows from Delta and the equation 

Xxy. d{x{exy){y{exy))xy = K. 

Let the set of all these equations be Ext. We conclude 

Proposition 5: DELTA(O), Delta, Ext h A A+. 



VI. Delta(l) 

IV can be sharpened to DELTA(n) and Delta (n), and, in the case of n < 2, 
DELTA is conservative over Delta (n). Delta(l) corresponds to 1st order logic 
and is thus undecidable. 



Proposition 6: DELTA(n) ^ X = Y Delta(n) ^ X = Y . 

Let OMEGA be the full type structure over a countable ground domain as 
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Lemma 2: If M is any countable model of DELTA(l) then there exists a partial 
surjective homomorphism h : OMEGA ^ M such that = [[d]]. 

Theorem 2: If A and Y contain only d with A of rank < 2 then DELTA \- X = 
Y Delta(l) A = E. 

The sentence A of type theory is said to be first-order if each equation in A is 
between d free terms of type with rank < 2 and each quantifier in A is of type 
= 0. If A is first-order then A+ contains at most d of corresponding rank < 2. 
Thus 

Corollary: If A is first-order then 

DELTA h A Delta(I) A -h . 

Godel’s famous observation [4] that the consistency of nth order arithmetic can 
be proved in n -I- Ith order shows that this corollary does not extend to larger 
values of n. 

Corollary: The problem of determining whether 

Delta(l) h M = A 
is recursively unsolvable. 



6 Delta(O) 

We extend the language of type theory by adding infinitely many distinct type 0 
constant c(0), c(l), . . . , c(n), .... In addition, we supplement beta-eta reduction 
by the following form of d reduction 

id) dc(*)c(j)AE^ = 

The resulting notion of reduction — «■ (beta-eta-delta) is obviously terminating 
Church-Rosser. We shall also consider the language with additional constants 
F : A = A(l) ^ (. . . (A(a) ^ 0) and reduction rules 

(Eval) FM{1) ... M{a) c 

where each M{i) is a closed term of type A{i). It will be convenient to refer to 
the rules (d) and (Eval) together by the notation In particular, we consider 
the following conditions 

(1) The number of (Eval) rules if finite. 

(2) Each (Eval) rule has a left hand side which is in long beta-eta normal form 
and is ^ normal. 

(3) Each closed term of type 0 appears at most once as the left hand side of an 
^ rule. 
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(4) Whenever 

FM{l)...M{a) ^c(i) 

FN{l)...N{a) ^c{j) 

and ^ i = j there exists 0 < /c < o + 1 with A{k) = B{1) ^ ■ (B{b) 

0 )...), 

and there exists F(l) : i?(l) , • ■ • , F{b) : B{b), c(r) : 0, c(s) : 0 with ~ r = s, 
and we have 

M(k) = Ax(l) . . . x(b) X 
N(k) = Ay(l) ... y(b) V 

with X,Y : 0 
such that 

[F(l)/x(l), F(b)/x(b)]V^c(r) 

[F{l)/y{l], ..., F{b)/y{b)]Y^c{s) 



Proposition 7: A notion of reduction ^ satisfying (2) and (3) is terminating 
Church- Rosser. 

Let M he & closed term in long beta-eta normal form with Bohm tree 
BOHM(M). We define the decorated Bohm tree of M, BOHM-I-(M) as follows. 
The nodes of BOHM-I-(M) are the same as the nodes of BOHM(M) except cer- 
tain nodes are labelled with matrices of constants as follows. The node v whose 
Bohm tree label has prefix PREFIX(r;) = 

Aa;(l) : A(l) . . . x{t) : A{t) 
is labelled also with the matrix MATRIX(u) = 

F{IA), , F{l,t) 



F{s,l), ... ,F{s,t) 

where s > 0 depends on v and F{i,j) : A{j) is a new constant, s = s(v) is 
computed as follows. First, the tree ordering of nodes is extended to the Kleene- 
Brouwer linear ordering and then reversed. We shall refer to this as the one 
co-K-B ordering, s is computed recursively over the co-K-B order. For given v 
enumerate all the nodes below v in the co-K-B order of the same prefix type. 
For each such node w consider all the simultaneous selections of rows from the 
matrices already labelling all nodes below v. For each such pair of selections 
include a row in MATRIX(u). Evidently, s(v) is bounded by an elementary 
function in the rank, in the sense of ordered sets, of v. Moreover, each row of 
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MATRIX(u) can be associated with a node w with similar prefix below v and a 
pair of selections of rows from matrices labelling nodes below w and below v. 

With each node v in BOHM+(M) and each selection of rows from the ma- 
trices labelling nodes w below v we associate a substitution SUB(u, selection) 
defined as follows. If 

PREFIX(w) = Aa;(l) : R(l) . . . x{r) : B{r), 

MATRIXH = G(l, 1), , G(l,r) 



G(s,l), ... , G(l,r) 

and row j is selected then SUB (w, selection) includes 

[G(j, l)/x(l), ... , G(j,r)/x(r)] . 

Now the term implicit at v with this selection is defined to be IMPLICIT(u, 
selection) = SUB(w, selection) BOHM(M)(w). 

Proposition 7:Given a notion of reduction ^ satisfying (1), (2), (3), and (4) 
there exists a substitution $ for the constants that appear in the (Eval) rules 
such that for each (Eval) rule as above we have (%F) ($M(1)) . . . ($M(a)) c. 
PROOF: Suppose that F : A. SUB(E) is defined by recursion on A. Suppose 
that A = A(l) ^ (. . . (A(to) — > 0) . . .), A{k) = A{k, 1) ^ ( . . . (A(fc, m{k)) 

0) . . . ), and 

FM{1,1) ■■■ M(1,to) ^ c(l) 



FM{n,l) ■■■ M{n,m) c{n) 

are all the EVAL rules which begin with F. For each pair i < j there exists 
a k = k{i,j) such that if 

M{i,k) = Ax(fc, 1) : A(/c, 1) ... x{k,m{k)) : A{k,m{k)) X, 

M{j,k) = Ax(fc, 1) • 1) xlk,mlk)) : Alk,mlk))Y, 

with 
X,Y :0 

there are constants 1) : A(fc,l), , F{i,j,m{k)) : A{k,m{k)), c(p(i,j)) : 

0 : 0 such that p(i,j) is distinct from 

lF(i,j,l)/x(k,l), ■■■ ,F(i,j,m(k))/x(k,m(k))]X ^ c(p(ij)), and 
[F(iJ,l)/x(k,l), ,F(iJ,m(k))/x(k,m(k))]Y ^ c(q(i,j)). 

Let x(i) : A(i). For i = 1, . . . , n and j = 1, . . . , i — 1, i -|- 1, . . . n define terms 
Q{i,j) : Aand P{i) :0^ A 

Q(i, j) = Ax(l) ... x{m) x(fc(t,j))(SUB(F(i,j, 1))) . . . (SUB(F(i, j, m(fc)))) 
P(i) = Ax(l) . . . x{m)\z : Q d{Q{iA)x{l) ... x(m))(c(q(i, q)))) 

(... (d(Q(i,n)x(l) ... x(m))c(q(i,n)))c(i)z) ...)z. 




304 



Rick Statman 



Put 

SUB(F) = Ax(l) . . . x{m). P{n)x{l) . . . x{m){. . . (P(l)x(l) . . . x(m)c(0)) . . .)). 

We claim that SUB(F) has the desired properties. The proof is by induc- 
tion on the length of the left hand side FM{\) . . . M{m). We suppose that 
FM{\) ... M{m) ^ c is the <th Eval rule for t some value between 1 and n so 
M{i) = M {t, i) and c = c{t) 

We have 

SUB(E)(SUB(M(1))) ... (SUB(M(m)))^ 

P(n)(SUB(M(l))) ... (SUB(M(m)))( ... 

(F(1)(SUB(M(1))) ... (SUB(M(m)))c(0)) ...). 

Let 

[/(i) = P(i)(SUB(M(l))) ... (SUB(M(to)))( ... 

(P(1)(SUB(M(1))) ... (SUB(M(m)))c(0)) ...). 

Then 

C/(z)->.(d((Q(i,l))(SUB(M(l))) ... (SUB(M(m))))(c((?(z,l)) 

( ... (d(Q(z,n)(SUB(M(l)) ... 

(SUB(M(m)))c(( 7 (z,n)))c(l)[/(z - 1)) ... )U{i - 1). 

In addition, 

(Q(z,j))(SUB(M(l))) ... (SUB(M(m)))^ 

SUB(M(k(i,j))(SUB(F(i,j,l))) ... (SUB(F(i,j,m(k(i,j)))) = 

SUB(M(k(i,j))F(i,j,l) ... F(i,j,m(k(i,j)))). 

Now M{k{i,j))F{i,j, 1) . . . F{i, j))) ^ c{p{ij)) = / = c{q{i,j)) 

when t = j and this reduction uses only EVAL rules of smaller left hand side. 
Thus, by induction hypothesis 

SUB(M(fc(z,j)))(SUB(F(z,j,l))) ... (SUB(F(z, j, m(fc(z, j)))) 

beta-eta-delta converts to c{p{i,j)). Thus, for z = / = t we have U{i) beta-eta- 
delta converts to C/(z — 1). Now when z = t for all j 

M{k{i,j))F{i,j,l) ... F{i,j,m)m{k{i,j))) c(< 7 (z,j)) and this reduction uses 

only EVAL rules of smaller left hand side. Thus, by induction hypothesis for all 

j 

SUB(M(fc(z, j))(SUB(E(z, j, 1))). . .(SUB(E(z,j, m(fc(z,j)))) beta-eta-delta con- 
verts to c{q{i,j)) and U{i) beta-eta-delta converts to c(z). This completes the 
proof. 

Proposition 8: Suppose that M = Acc(l) . . . x{a). X : A = A(l) ^ ( . . . A{a) 

0) . . . ) and N = Ai/(1) . . . Xy{a). Y : A, and ~ Delta (0) h M = N. Then 
there exist F{1) : A(l), . . . ,F{a) : A{a), c(z) : 0, c(j) : 0 with ^ i = j, and a 
notion of reduction ^ satisfying conditions (1), (2), (3), (4) such that 
[F(l)/x(l), ..., F{a)/x{a)\X c{i) 

■■■, F{a)/y{z)]Y ^ c{j) 
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PROOF: We have that in [[M]] and are distinct so there are /(!),. . . ,/(t), 
c(0), and c(l) such that [[M]] /(I) . . . f(t) = c(0) and [[N]] /(I) . . . f(t) = c(l). 
We shall now interpret the constants in the matrix labels in the decorated Bohm 
tree of P = 



Ax(l) : ^(1) . . . x{t) : A{t) Xx : 0 y : 0. dXYxy. 

If the root node constants are P(l), . . . , F{t), c(0), c(l). Suppose that all the 
constants at nodes below v have been interpreted and suppose that row i is as- 
sociated with node w and pair of selections of constants. If 
[[SUB(w,selection)BOHM(P)(r(;)]] and [[SUB(u, selection)BOHM(P)(u)]] are dis- 
tinct then there exist /(I), . . . , f{t) in such that 
[[SUB(w,selection)BOHM(P)(w)]] /(I) ... f{t) =/ = 
|[SUB(u,selection)BOHM(P)(u)]] /(I) ... /(t) and we set 

[[P(z,l)]] = /(I), ... , [[F{z,t)]] = f{t). 

Otherwise we interpret the constants of the zth row arbitrarily. 

Now we define a notion of reduction. For each closed type 0 

FM{l)...M{m) 

subterm of a term implicit at some node in BOHM(P) with some selection we 
associate the reduction 



FM{1) ... M{m) ^ c(z) 

for c(z) = [[FM{1) ... M{m)]]. These reductions together with the (d) delta 
reductions are not a notion of reduction as we have defined it because the left 
hand sides of some of the EVAL reductions are not ^ normal. However, since 
the reductions are all length decreasing, the Knuth-Bendix completion of this 
set of reductions is generated by a set of rules which satisfies 

(2) each EVAL rule has a left hand side which is in long beta-eta-^ normal 
form 

(3) each left hand side is the left hand side of at most one ^ rule. 

(1) the set of ^ rules is finite 

Finally we must show that this set of rules satisfies (4). Clearly, it suffices to 
show that the original set satisfies (4) . Suppose that we are given 
FM{1) ... M{m)^c{i) 

FN{1) . . . N{m) ^ c{j) 

with z different from j. Then [[F]] [[M(l)]]. . .[[M(m)]] = [[FM{1) . . . M(m)]] = 

/ = [[FV(1) . . . N{m)]] = [[P]] [[A^(l)]] . . . [[7V(m)]] so for some k [[M(/c)]] is 

different from [[V(fc)]]. Let 

M{k) = Ax(l) . . . x{t) X 

N{k) = Ax(l) ... x{t) Y 

X,Y :0 

Now M{k) and N{k) are instances of subterms of P say W and V respectively 
which appear at nodes w and v respectively in BOHM(P).W.L.O.G. assume 
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that V is above w in the co-K-B ordering. Now there are selections selection(l) 
and selection (2) such that 

SUB(w,selection(l))BOHM(w) = SUB(w, selection(l))hh = M{k) 
SUB(w,selection(2))BOHM(ti) = SUB(w, selection(2))y = N{k). 

Since these are distinct, the row 



F{1) ... F{t) 

of MATRIX(w) associated with w and these selections is interpreted by members 
of P(^/(l), ... ,/(f) such that [[M(k)]]f(l) ... f(t) = c(p) is distinct from 
[[N{k)]] /(I) . . . fit) = c{q). It follows easily that 
[F(l)/a:(l), ... ,Fit)/xit)]X ^ c{p) 
and 

[F(l)/a:(l), ... ,Fit)/xit)]Y ^ c(g) 

This completes the proof. 



Theorem 3: If M and N are closed terms : 
and ~ Delta(O) ^ M = N then there exists 
T(l): A(l) , ... , T(a): A(a), 
c{i) : 0, c(j) : 0 with ^ i = j 
such that 

MT(1) ... T(a)^c(i) 

NT(1) ... T(a)^c(j). 



A = A(1)^(... iA{a) 
closed terms 



0 ) ...) 



Corollaries: 

(1) The problem of determining whether Delta(O) \- M = N is decidable. 

(2) The set of hereditarily finite full type structures is complete for Delta(O). 
Kreisel’s hereditarily continuous functionals is complete for Delta(O). Indeed, 
any single infinite model is complete. 

(3) The problem of determining whether 

Delta(O), M(l) = N{1), ... , M{m) = N{m) \- M = N is decidable. 
Indeed, consistency is decidable and M = N is consistent M = N is true 
in the two element model. 

We now consider the Delta(O) unification problem. Given closed terms M, N : 
A ^ B we wish to decide whether there exists a closed term P such that 
Delta(O) MP = NP. Such a P is called a unifier or a solution as in [5]. A 
special case of this is the “matching problem” when N = KQ or equivalently to 
decide whether there exists P such that Delta(O) MP = Q. In the presence 
of d of lowest type the general unification problem is reducible to matching as 
follows. 

If P = P(I) ^ ( . . . ( B(b) ^0) . . .) then M and N are unifiable 
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Aa; Ax(l) ... x{b). d{Mxx{l) . . . x{b) ){Nxx{l) ... x {b))K K* a,nd 
X{x) . . . x{b). K can be matched. The following is well known from unification 
theory. 



Proposition 9: If the set of Church numerals is the set of solutions to a unification 
problem then unification and, therefore, matching is recursively unsolvable. 



Lemma 2: The set of Church numerals is the set of unifiers of the terms 

Ax. Xuv. u(xuv) andAx. Xuv.xu{uv). 

Corollary: Unification and matching in Delta(O) are undecidable. 
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Abstract. In this paper we consider the problem of answering queries 
consistently in the presence of inconsistent data, i.e. data violating in- 
tegrity constraints. We propose a technique based on the rewriting of 
integrity constraints into disjunctive rules with two different forms of 
negation (negation as failure and classical negation). The disjunctive 
program can be used i) to generate ‘repairs’ for the database and ii) to 
produce consistent answers, i.e. maximal set of atoms which do not vio- 
late the constraints. We show that our technique is sound, complete and 
more general than techniques previously proposed. 



1 Introduction 

Integrity constraints represent an important source of information about the real 
world. They are usually used to define constraints on data (functional dependen- 
cies, inclusion dependencies, etc.). An integrity constraint can be considered as a 
query which must always be true after a modification of the database. Integrity 
constraints have nowadays a wide applicability in several context such as seman- 
tic query optimization, cooperative query answering, database integration, view 
update and others. Since the satisfaction of integrity constraints cannot be, gen- 
erally, guaranteed, in the evaluation of queries, we must compute answers which 
are consistent with the integrity constraints. 

The presence of inconsistencies might arise, for instance, when the database is 
obtained from the integration of different information sources. The integration 
of knowledge from multiple sources is an important aspect in several areas such 
as data warehousing, database integration, automated reasoning systems, active 
reactive databases. The following example shows a typical case of inconsistency. 

Example 1. Consider the following database schema consisting of the single bi- 
nary relation Teaches( Course, Professor) where the attribute Course is a key for 
the relation. Assume there are two different instances for the relations Teaches 
as reported in the following figure. 
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a EC grant under the project “Contact” . The first author is also supported by IST 
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The two instances satisfy the constraint that Course is a key but, from the 
union of the two databases, we derive a relation which does not satisfy the 
constraint since there are two distinct tuples with the same value for the attribute 
Course. 

In the integration of two conflicting databases simple solutions could be based 
on the definition of preference criteria such as a partial order on the source in- 
formation or majority criteria [ 19 ]. However, these solution are not satisfactory 
in the general case and more interesting solutions are those based on 1 ) the com- 
putation of ‘repairs’ for the database, 2 ) the computation of consistent answers 
[ 5 ], 

The computation of repairs is based on the insertion and deletion of tuples 
so that the resulting database satisfies all constraints. The computation of con- 
sistent answers is based on the identification of tuples satisfying integrity con- 
straints and the selection of tuples matching the goal. For instance, for the 
integrated database of Example 1 , we have two alternative repairs consisting in 
the deletion of one of the tuples (02,^2) and (c2,P3). The consistent answer to 
a query over the relation Teaches contains the unique tuple (ci,pi) so that we 
don’t know which professor teaches course C2. The following example presents 
another case of inconsistent database. 

Example 2. [ 22 , 5 ] Consider a database D consisting of the following two relations 
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with the integrity constraint, defined by the following first order formula 

(VX vr VZ) [ Supply {X, Y, Z) A Class{Z, t) D X = ci ] 

stating that only supplier ci can supply items of type t. The database D = 
{Supply{ci, Supply{c2, c?2j*2)) Class{ii,t), Class{i2,t) } is inconsistent 

because the integrity constraint is not satisfied (supplier C2 also supplies an 
item of type t). From the integrity constraint we can derive two alternative 
repaired databases: D\ = {Supply{ci,di,ii), Class{ii,t), Class{i2,t) } ^md 
D2 = {Supply{ci,di,i\), Supply{c2,d2,i2), Class{i\,t) } derived by deleting 
either the atom Supply{c2,d2,i2) or the atom Class{i2,t)- 

Moreover, while we are not able to answer a query Supply{c2, X,Y), asking 
for the department and item supplied by C2, we are able to answer a query 
Supply{c\, X,Y) asking for the department and item supplied by c\. Further, a 
query Class{Z,t), asking for the items of type “t” can be also answered (with 
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Z = ii, i.e. ii is the only item of type t) whereas a query not Class{i 2 , t), asking 
if item Z 2 is not of type t, cannot be answered (unknown fact). 

Therefore, it is very important, in the presence of inconsistent data, to compute 
the set of consistent answers, but also to know which facts are unknown and if 
there are possible repairs for the database. In our approach it can be possible 
to compute the tuples which are consistent with the integrity constraint and 
answer queries by considering as true facts those contained in every repaired 
database, false facts those not contained in all repaired databases and unknown 
the remaining facts. 

We point out that, recently, there have been several proposals considering the 
integration of databases as well as the computation of queries over inconsistent 
databases [1,2,5,6,17,18,19,20]. All these techniques work for restricted cases 
and the most general technique so far introduced is complete only for universal 
quantified binary constraints [5]. Techniques for the integration of knowledge 
bases, expressed by means of first order formulas, have been proposed as well 
[3,4,23,14]. 

The main contribution of the paper is the introduction of a technique which 
maximizes the correct answers derivable from an inconsistent database. Our 
technique is based on the rewriting of integrity constraints into disjunctive rules 
with two different forms of negation (negation as failure and classical negation) . 
The disjunctive program can be used i) to generate ‘repairs’ for the database 
and ii) to produce consistent answers, i.e. maximal set of atoms which do not 
violate the constraints. We show that our technique is sound, complete and more 
general than techniques previously proposed. 



2 Disjunctive Deductive Databases 

A (disjunctive Datalog) rule r is a clause of the form 

Ai V • • • V Afe ^ i?i, • • • , Bm, not Cj , • • • , not C„, k + m + n > 0. 

Ai, • • • , Afe, Bi, - ■ ■ , Bm, Cl, ■ ■ ■ ,Cn are atoms of the form p{ti , ..., th), where p is 
a predicate of arity h and the terms C, ..., th are constants or variables. The dis- 
junction Ai V • • • V Afe is the head of r, while the conjunction Bi, - ■ ■ , Bm, not Cj , 
• • • , not Cn is the body of r. We also assume the existence of the binary built-in 
predicate symbols (comparison operators) which can be used only in the body 
of rules. A (disjunctive Datalog) program is a finite set of rules. A not-free (resp. 
V-free) program is called positive (resp. normal). 

As usual, a literal is an atom A or a negated atom not A; in the former 
case, it is positive, and in the latter negative. Two literals are complementary, 
if they are of the form A and not A, for some atom A. For a set S of literals, 
not S = {not L \ L G 5}. 

The Herhrand Universe U-p of a program V is the set of all constants appearing 
in V, and its Herhrand Base Bp is the set of all ground atoms constructed from 
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the predicates appearing in V and the constants from U-p. A term, (resp. an 
atom, a literal, a rule or a program) is ground if no variables occur in it. A rule 
r' is a ground instance of a rule r, if r' is obtained from r by replacing every 
variable in r with some constant in Up. We denote by ground{V) the set of all 
ground instances of the rules in V. 

An interpretation of V is any subset of Bp. The value of a ground atom 
L w.r.t. an interpretation I, valuei{L), is true if L G I and false otherwise. 
The value of a ground negated literal not L is not valuej {L) . The truth value 
of a conjunction of ground literals C = L\, . . . , Ln is the minimum over the 
values of the Li, i.e., valuei{C) = min{{valuei{Li) | 1 < z < n}), while the 
value valuei{D) of a disjunction D = Li V ... V is their maximum, i.e., 
valuei{D) = max{{valuei{Li) | 1 < z < n}); if n = 0, then valuei{C) = true 
and valuei{D) = false. 

A ground rule r is satisfiedhy I if valuei{Head{r)) > value i{Body{r)). Thus, 
a rule r with empty body is satisfied by / if valuej {H ead{r)) = true whereas 
a rule r' with empty head is satisfied by / if value j{Body{r)) = false. In the 
following we also assume the existence of rules with empty head which defines 
denials^, i.e. rules which are satisfied only if the body is false. An interpretation 
M for 7^ is a model of 7^ if M satisfies each rule in ground{V) . 

The (model-theoretic) semantics for positive V assigns to V the set of its min- 
imal models MM(T^), where a model M for V is minimal, if no proper subset 
of M is a model for V [21]. Accordingly, the program V = {a V b has the 
two minimal models {a} and { 6 }, i.e. MM(T^) = { {a}, { 6 } }. The more general 
disjunctive stable model semantics also applies to programs with (unstratified) 
negation [10]. Disjunctive stable model semantics generalizes stable model se- 
mantics, previously defined for normal programs [9]. 

For any interpretation I, denote with the ground positive program derived 
from ground{V) 1) by removing all rules that contain a negative literal not a in 
the body and a € I, and 2) by removing all negative literals from the remaining 
rules. An interpretation M is a (disjunctive) stable model of V if and only if 
M G MM(-P^). 

For general V, the stable model semantics assigns to V the set SM(T^) of 
its stable models. It is well known that stable models are minimal models (i.e. 
SM(T^) C MM(7^)) and that for negation free programs minimal and stable 
model semantics coincide (i.e. SM(T^) = MM(7^)). Observe that stable models 
are minimal models which are “supported”, i.e. their atoms can be derived from 
the program. For instance, the program consisting of the rule a V 6 <— not c has 
three minimal models Mi = {a}. Mi = { 6 } and M 3 = {c}. However, only Mi 
and M 2 are stable. 



^ Under total semantics 
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2.1 Classical Negation 

Traditional declarative semantics of Datalog and logic programming uses the 
closed world assumption and each ground atom which does not follow from the 
database is assumed to be false. Extended Datalog programs extend standard 
Datalog programs with a different form of negation, known as classical or strong 
negation, which can also appear in the head of rules. Thus, while standard pro- 
grams provide negative information implicitly, extended programs provide nega- 
tive information explicitly and we can distinguish queries which fail in the sense 
that they do not succeed and queries which fail in the stronger sense that nega- 
tion succeeds [10,16,11]. 

An extended atom is either an atom, say A or its negation ^ A. An extended 
Datalog program is a set of rules of the form 

Ao V ... V Afc ^ Bi, ..., Bm, not Bm+i , ..., not Bn k + n > 0 

where Aq, Ak, Bi, B„ are extended atoms. A (2-valued) interpretation I 
for an extended program 7^ is a pair (T, F) where T and F define a partition 
of B-p U ~^Bp and ~^Bp = {^A|A G Bp}. The truth value of an extended atom 
L G Bp U ^Bp w.r.t. an interpretation I is equal to (i) true if L G T and, (ii) 
false if A G F. Moreover, we say that an interpretation / = (T,F) is consistent 
if there is no atom A such that A G T and ^A G T. The semantics of an extended 
program V is defined by considering each negated predicate symbol, say ^p, as a 
new symbol syntactically different from p and by adding to the program, for each 
predicate symbol p with arity n the constraint ^ p(ATi, ..., A„), ^p(Xi, ..., A„). 

The existence of a (2- valued) model for an extended program is not guaran- 
teed, also in the case of negation (as-failure) free programs. For instance, the 
program consisting of the two facts a and does not admit any (2-valued) 
model. 

In the following, for the sake of simplicity, we shall also use rules whose bodies 
may contain disjunctions. Such rules, called generalized disjunctive rules, are 
used as shorthands for multiple standard disjunctive rules. More specifically, a 
generalized disjunctive rule of the form 

Ai V ... V Afc ^ {Bpi V ... V Bpm,), {Bn,l V ... V Bn.mJ 
denotes the set of standard rules 

Ai V ... V Afc ^ ^i,ii j •••) Vj, i : 1 < j < n and 1 < ij < mj 

Given a generalized disjunctive program V, st{V) denotes the standard dis- 
junctive programs derived from V by rewriting body disjunctions. 



2.2 Disjunctive Queries 

Predicate symbols are partitioned into two distinct sets: base predicates (also 
called EDB predicates) and derived predicates (also called IDB predicates). Base 
predicates correspond to database relations defined over a given domain and they 
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do not appear in the head of any rule whereas derived predicates are defined by 
means of rules. 

Given a database D, a predicate symbol r and a program V, D{r) denotes the 
set of r-tuples in D whereas Vd denotes the program derived from the union of 
V with the tuples in D, i.e., Vd = V U {r{t) ^ | t G D{r)}. In the following a 
tuple t of a relation r will be also denoted as a fact r{t). 

The semantics of Vd is given by the set of its stable models by considering 
either their union {possible semantics or brave reasoning) or their intersection 
{certain semantics or cautious reasoning) . 

A query Q is a pair {g,V) where g is a, predicate symbol, called the query 
goal, and 7^ is a program. The answer of a query Q = {g,V) over a database 
D, under the possible (resp. certain) semantics is given by D'{g) where D’ = 
^M£Sm(Pd) ^ (resp. D' = C\m£Sm(Pd) 

3 Databases with Constraints 

Databases contain, other than data, intentional knowledge expressed by 
means of integrity constraints. Database schemata contain the knowledge on the 
structure of data, i.e. they give constraints on the form the data must have. 
The relationships among data are usually defined by constraints such as func- 
tional dependencies, inclusion dependencies, etc. Integrity constraints and rela- 
tion schemata are introduced to prevent the insertion or deletion of data which 
could produce incorrect states. Generally, databases contain explicit representa- 
tion of intentional knowledge. 

A database D has associated a schema VS = {Rs,TC) which defines the inten- 
tional properties of D. In particular, Rs denotes the structure of the relations 
whereas TC contains the set of integrity constraints. Integrity constraints are 
used to define properties which are supposed to be satisfied by all instances of 
a database schema. Early works have considered the case of general integrity 
constraints expressed by arbitrary sentences from first-order logic. However, fea- 
sibility considerations have led to the study of more restricted classes of con- 
straints, usually called dependencies such as functional dependencies, inclusion 
dependencies, join dependencies and others. 

Definition 1. An integrity constraint (or embedded dependency) is a formula 
of the first order predicate calculus of the form: 

{'dxi...\/x„) [<P{xi,...,Xn) D {3zi...3zk)'I'{yi,:;ym) ] 

where <d>{xi, ...,Xn) and W{yi, ...,ym) are two conjunctions of literals such that 
xi,...,Xn and yi,...,ym are the distinct variables appearing in <P and W respec- 
tively, {zi,...,Zk} = {yi, ...jym} — {xi, ...jXn} is the set of variables existentially 
quantified. 

In the definition above, conjunction <P is called the body and conjunction W 
the head of the integrity constraint. Without loss of generality, it is possible to 
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assume that the equality symbol only occurs in the head S' and only between 
variables that also appear in the body <l>. 

There are six common restrictions on embedded dependencies that give us six 
classes of dependencies: 

1. The full (or universal) are those not containing existential quantified vari- 
ables. 

2. The unirelational are those with one relation symbol only; dependencies with 
more than one relation symbols are called multirelational. 

3. The single-head are those with a single atom in the head; dependencies with 
more than one atom in the head are called multi-head. 

4. The tuple-generating are those without the equality symbol. 

5. The equality-generating are full, single-head, with an equality atom in the 
head. 

6. The typed are those whose variables are assigned to fixed positions of base 
atoms and every equality atom involves a pair of variables assigned to the 
same position of the same base atom; dependencies which are not typed will 
be called untyped. 

Moreover, an embedded dependency is said to be positive if no negated literal 
occur in it^ . Most of the dependencies developed in database theory are restricted 
cases of some of the above classes. For instance, functional dependencies are 
positive, full, single-head, unirelational, equality-generating constraints. 

Without loss of generality, it is possible to assume that the equality symbol 
only occurs in the head W and only between variables that also appear in the 
body d>. In the rest of this section we concentrate on universal, single-head 
dependencies. Therefore, an integrity constraint is a formula of the form 

yX [ B\ A ... A Bk A not Bk+i A ... A not B„ A (f> D Bg ] 

where Bi,...Bn are base literals, Bq can be either a base literal or a built-in 
literal, X denotes the list of all variables appearing in Bo,...,Bn and if is a, 
conjunction of built-in literals. Observe that a multi-head constraint of the form 

yX [ Bi A ... A Bk A not Bk+i A ... A not B„ A 4> D A;[ A ... A Am ] 
with m > 1, can be rewritten into m single head constraints 

yX [ Bi A ... A Bk A not Bk+i A ... A not Bn A 4> D Ai ] 1 < i < m 

Definition 2. Given a database schema VS = (Rs,2C) and a database instance 
D over VS, we say that D is consistent if D \= JC, i.e. if all integrity constraints 
in 2C are satisfied by D, otherwise it is inconsistent. 



Example 3. The database of Example 1, derived from the union of the two source 
databases, is inconsistent since there is an instance of the constraint which is 
not satisfied, namely Teaches{c 2 ,P 2 ) A Teaches{c 2 ,ps) A P 2 = Ps- 

^ Classical definitions of embedded dependencies only consider positive constraints. 
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Definition 3. Given a database schema VS = (Rs,JC) and a database D over 
VS. A repair /orD is a pair of sets of atoms such that 1) = 0, 

2) Du — R~ ^ JC and 3) there is no pair , S~) {R~^ , R~) such that 

S~^ C S~ C R~ and D U — S'” ^ 2C. The database D U R^ — R~ will 
be called the repaired database. 

Thus, repaired databases are consistent databases which are derived from the 
source database by means of a minimal^ sets of insertion and deletion of tuples. 

Example 4- Assume we are given a database whose schema contains two unary 
relations p and q with the inclusion dependency V(A) [ p{X) D q{X) ] 
and the database instance consisting of the following set D = {p{a),p{b),q{a), 
g(c)}. D is inconsistent since p{b) D q{b) is not satisfied. The repairs for D are 
R\ = ({( 7 ( 6 )}, 0) and i ?2 = (0,{p(6)}) which produce, respectively, the repaired 
databases Dx = {p{a),p{b),q{a),q{c),q{b)} and D 2 = {p{a) , q{a) , q{c)} . 

A (relational) query over a database defines a function from the database to a 
relation. It can be expressed by means of alternative equivalent languages such 
as relational algebra, ‘safe’ relational calculus or ‘safe’ non recursive Datalog 
[24]. In the following we shall use Datalog. Thus, a query is a pair (g,V) where 
7^ is a safe non-recursive Datalog program and g is a predicate symbol specifying 
the output (derived) relation. 

Observe that relational queries define a restricted case of disjunctive queries. 
The reason to consider relational and disjunctive queries is that, as we shall show 
in the next section, relational queries over databases with constraints can be 
rewritten into extended disjunctive queries over databases without constraints. 

Definition 4. Given a database schema VS = {Rs,IC) and a database D over 
VS. An atom A is true (resp. false) with respect to {D,XC) if A belongs to all 
repaired databases (resp. there is no repaired database containing A). The set of 
atoms which are neither true nor false are undefined. 

Thus, true atoms appear in all repaired databases whereas undefined atoms 
appear in a proper subset of repaired databases. Given a database D and a set of 
integrity constraints XC, the application of XC to D, denoted by XC{D), defines 
three distinct sets of atoms: the set of true atoms XC{D)~^ , the set of undefined 
atoms XC{D)^ and the set of false atoms XC{D)^ . 

Definition 5. Given a database schema VS = (Rs,XC), a database D over VS 
and a query Q = (g,V). The consistent answer of the query Q on the database 
D, denoted as Q{D,XC), is the set of g -tuples contained in all repaired databases. 



Fact 1 Given a database schema VS = {Rs,XC), a database D over VS and a 
positive relational query Q, then Q{D,XC) = Q(XC{D)~^). 

® Minimal w.r.t. set inclusion. 
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Example 5. Consider again the integrated database D of Example 4 and the 
query Q = {p, 0) The answer of the query Q{D,1C) contains the facts p{a). The 
answer of the query (q,l!j){D,lC) gives the facts q{a) and q{c). 

4 Querying and Repairing Inconsistent Databases 

In this section we present a technique which permits us to compute consistent 
answers and repairs for possible inconsistent databases. The technique is based 
on the generation of an extended disjunctive program CV derived from the set 
of integrity constraints. The repairs for the database can be generated from the 
stable models of CV whereas the computation of the consistent answers of a 
query {g,V) can be derived by considering the stable models of the program 
V U CV over the database D. 

Definition 6. Let c he a universally quantified constraint of the form 
WX{Bi A ... A Bk A not Bk+i A ... A not B„ A (f> D Bg) 
then, dj{c) denotes the extended disjunctive rule 

- B[ V ... V V V ... V ^ (Bi V B [), ..., (Bfc V 

{notBk+i y ^Bk+i),...,{not Bn+i y ^Bg) 

where B[ denotes the atom derived from Bi, by replacing of the predicate symbol 
p with the new symbol pg if Bi is a base atom otherwise is equal to false. 

Let JC be a set of universally quantified integrity constraints, then WflC) 
= { dj{c) \c€lC } and CV(IC) = st(VV{IC)). 

Thus, WfiLC) denotes the set of generalized disjunctive rules derived from the 
rewriting of IC whereas CVfiLC) denotes the set of standard disjunctive rules 
derived from WfiLC). Clearly, given a database D and a set of constraints IC, 
CV{IC)d denotes the program derived from the union of the rules in CV{IC) 
with the facts in D whereas SM{CV{IC)d) denotes the set of stable models 
of CV{IC)d- Observe that every stable model is consistent, according to the 
definition of consistent set given in Section 2, since it cannot contain two atoms 
of the form A and ^ A. 

Example 6. Consider the following integrity constraints: 

1. VX [ p{X) A not s{X) D q{X) ] 

2. VX I q{X) D r{X) ] 

and the database D containing the facts p{a) , p{b) , s{a) and q{a). The derived 
generalized extended disjunctive program is defined as follows: 

~^Pd{X) V Sd(X) V qg{X) ^ {p{X)ypd{X)), {not s{X) V ^sg{X)), 

{not q{X) V ~^qd{X)). 

~^qd{X)y Td{X) ^ {q{X)y qd{X)), {not r{X) y ^rd{X)). 
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The above rules can be now rewritten in standard form by eliminating body 
disjunctions. Let P be the corresponding extended disjunctive Datalog program, 
the computation of the program Vd, derived from the union of P with the facts 
in D, gives the following stable models: 

Mi = DU {^pd{b), ^qd{a)}, M4 = D U {rd{a), Sd{b)}, 

M2 = DU {^pd{b), rd{a)}, M^ = DU {qd{b), ^qd{a), rd{b)}, 

Ms = DU {^qd{a), Sd{b)}, Mq = DU {qd{b), rd{a),rd{b)}. 

Observe that a (generalized) extended disjunctive Datalog program can be 
simplified by eliminating from the body rules all literals whose predicate symbols 
are derived and do not appear in the head of any rule (these literals cannot be 
true). For instance, the generalized rules of the above example can be rewritten 
as 



^Pd{X) V Sd{X) V qd{X) ^ p{X), not s(X), {not q{X) V ^qd{X)). 
~^qd{X)y Td{X) ^ {q{X)y qd{X)), not r{X). 

because the predicate symbols pd, ~^rd and ^Sd do not appear in the head of 
any rule. As mentioned in the Introduction, in the presence of inconsistencies, 
generally, there are two possible alternative solutions: i) compute repairs making 
the database consistent through the insertion and deletion of tuples, or ii) com- 
pute consistent answers but leaving the database inconsistent. The rewriting of 
constraints into disjunctive rules is useful for both solutions. 



4.1 Computing Database Repairs 

Every stable model can be used to define a possible repair for the database 
by interpreting new derived atoms (denoted by the subscript “d”) as insertions 
and deletions of tuples. Thus, if a stable model M contains two atoms ^Pd{t) 
(derived atom) and p{t) (base atom) we deduce that the atom p{t) violates some 
constraint and, therefore, it must be deleted. Analogously, if M contains the 
derived atoms Pd{t) and do not contain p{t) (i.e. p{t) is not in the database) we 
deduce that the atom p{t) should be inserted in the database. We now formalize 
the definition of repaired database. 

Definition 7. Given a database schema VS = {Rs,IC) and a database D over 
VS. Let M he a stable model of CP {VC) d- Then, R{M) = ( {p{t) \ pd{t) € 
M A p{t) ^ D}, {p{t) I ^Pd{t) G M A p{t) G D} ). 



Theorem 2. Given a database schema VS = {Rs,TC) and a database D over 
VS. Then 

1. (Soundness) for every stable model M of CP {TC)d, R{M) is a repair for D; 

2. (Gompleteness) for every database repair S for D there exists a stable model 
M for CP{TC)d such that S = R{M). 
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Proof (Sketch) Soundness derives from the fact that every stable model M is 
consistent and is minimal. Completeness derives from the fact that stable models 
are the only minimal models which are ‘supported’. 

Example 1 . Consider the database of Example 4. Algorithm 1, applied to the 
integrity constraint VA [ p{X) D q{X) ], produces the disjunctive rules 

r : ^Pd{X) V qd{X) ^ (p(A) V Pd{X)), {not q{X) V ^q{X)). 

which can be rewritten into the simpler form 

r' : ~^Pd{X) V qd{X) ^ p{X), not q{X). 

The program Vd, where V is the program consisting of the disjunctive rule 
r', has two stable models Mi = D U { ^Pd{b)} and M2 = D U { qd{b)}. The 
derived repairs are R{Mi) = ({g(6)},0) and R{M2) = (0, {p(5)}) corresponding, 
respectively, to the insertion of q{h) and the deletion of p{b). 



4.2 Computing Consistent Answers 

We consider now the problem of computing a consistent answer without modify- 
ing the (possibly inconsistent) database. We assume that tuples contained in the 
database or implied by the constraints may be either true or false or undefined. 
From the results of Section 4.1 we derive 

1. 1C{D)+ = { p{f) & D\ ^M £ SM{CP{TC)d) s.t. ^pd{t) e M } U 

{ p{t) ^ I VM e SM{CV{1C)d) s.t. pd{t) G M }, 

2. XC{D)~ = { p{t) ^D\ ^M & SM{CV{IC)d) s.t. pd{t) G M } U 

{ p{t) G D I VM G SM{CV{IC)d) s.t. ^pd{t) G M }, 

3. IC{DY = { p{t) I 3Mi,M2 G SM{LV{IC)d) s.t. pd{t) G Mi and 

~^Pd{t) G M2 }. 

Observe that the sets 2C{D)'^ , XC{D)^ and XC{D)'^ are disjoint and that 
XC{D)~^ UXC{D)~ defines a set of consistent atoms. Thus, the set of undefined 
atoms XC{D)^ contains the tuples which cannot be assumed neither true nor 
false: 

IC{DY = { p{t) I p{f) G V 3M G SM{CP{XC)d) 

s.t. pd{t) eM or ^pd{t) G M } - {XC{D)+ \JXC{D)- ). 

We are now in the position to introduce the definition of consistent answer. 
The consistent answer for the query Q = {g, V) over the database D under 
constraints XC is as follows: 

Q{D,IC)+ = { g{t) G I ^M G SM{{V \J LV{XC))d) s.t. ^gd{t) G M } U 
{ g{t) ^ D I VM G SM((P U CV{XC))d) s.t. gd{t) G M }, 
Q{D,XCT = { g{t) I 3Mi,M2 G SM{{V LV{XC))d) 

s.t. gd{t) G Ml and ~^gd{t) G M2 } 
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whereas the set of atoms which are neither true nor undefined can be assumed 
to be false. 

For instance, in Example 7, the set of true tuples are those belonging to the 
intersection of the two models, that is p{a),q{a) and q{c), whereas the set of 
undefined tuples are those belonging to the union of the two models and not 
belonging to their intersection. 

Example 8. Consider the database of Example 2. To answer a query it is neces- 
sary to define, first, the atoms which are true, undefined and false: 

1. 2C{D)'^ = {Supply{c\, ,Class{i\,t)} , the set of true atoms, 

2. XC{DY = {Supply{c 2 ,d 2 ,i 2 ),Class{i 2 ,t)}, the set of undefined atoms, 

3. The atoms not belonging to 2C{D)'^ and XC{D)^ are false. 

The answer to the query {Class, lb) gives the tuple {i\,t). 

Observe that for every database D over a given schema X)S = {Rs,XC), for 
every query Q = {g,V) and for every repaired database D' 

1. each atom in ^ G Q{D,XC)^ belongs to the stable model oiVo' (soundness) 

2. each atom in ^ G Q{D,XC)~ does not belongs to the stable model of Vd' 
(completeness). 

Example 9. Consider the integrated database D = { Teaches{ci,pi), 
Teaches{c 2 , P 2 ), T caches (c 2 ,P 3 ) } of Example 1. The functional dependency 
defined by the key of relation T caches can be defined as 

V(X, Y) [ Teaches{X, Y) A Teaches{X, Z) D Y = Z ] 

The corresponding disjunctive program P consists of the rule 

~^T caches d{X,Y) V -^Teachesd{X, Z) ^ Teaches{X,Y) ,Teaches{X, Z) , X ^ Z 

The program Pd has two stable models: Mi = £) U {^T cache s d{c 2 , P 2 )} and 
M 2 = DU {-^T caches d{c 2 ,P 3 )}- Therefore, the set of facts which we can assume 
to be true contains the single fact Teaches{ci,pi). 



4.3 Complexity 

The technique proposed is general but expensive. In this section we define an 
upper bound for the general case and present results for special cases. 

Theorem 3. Let D he a database, Q = {g,V) a query and XC he a set of (full) 
single-head integrity constraints. Then 

1. A repair for D exists. 

2. Checking if there is exists a repair for D such that the answer of Q is not 
empty is in X 2 ■ 
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3. Checking if a fact belongs to the consistent answer of Q is in II 2 ■ 

Proof (Sketch) We have seen that the answer of a query Q = {g, V) over a 
database D with integrity constraint IC, is computed by considering the stable 
models of the disjunctive program P' = {VUCP{XC))d- The results derive from 
the fact that 

1. P' is stratified w.r.t. negation by default (i.e. not) and therefore it has always 
stable models, 

2. Checking if there is exists a stable model for P’ containing a given tuple is 
in Z'l^-complete. 

3. Checking if all stable models for P' contain a given tuple is in 27|^-complete. 

Moreover, for restricted cases of integrity constraints, answers can be com- 
puted very efficiently. 

Theorem 4. Let D he a database, TV a set of functional dependencies over D, 
TZC a set of (full) referential dependencies over D and Q a query. Then, 

1. Q{D,TV) can he computed in polynomial time, 

2. Q{D,TZC) can he computed in polynomial time. 

5 Generalizing Constraints and Answers 

In the previous section we have considered universal, single-head constraints. 
Here we extend our framework by considering more general constraints and 
partially defined answers. First of all observe that constraints with disjunctive 
heads can be rewritten into disjunctive rules and that for universally quantified 
integrity constraints it is possible to move literals from the head to the body 
and vice versa. This is not true for disjunctive Datalog rules under stable model 
semantic (for instance, the rules a V 6 <— and a <— not b have the same minimal 
models but different stable models). 

5.1 Existential Quantified Constraints 

In the presence of existential quantified variables we modify Definition 1 as 
follows. 

Definition 8. Let r he a constraint rule and let r' = dj{r) he the corresponding 
generalized disjunctive rule. For each predicate q{X, Y) in r, where X is the list 
of universal quantified variable andY is the list of existential quantified variables 

— Add to the disjunctive program the rules 
q'{X)^q{X,Y) 
qj{X)^qd{X,Y) 

where q' and q'^ are new predicate symbols storing the projection of q and qd 
on the universal quantified variables (specified by X). 
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— Replace qd{X,Y) appearing in the head of r' with qd{X,l.), where _L denotes 
a list of unknown values. 

— Replace every q{X,Y) and qd{X,Y) appearing in the body of r' with q'{X) 
and q'j^{X), respectively. 

The computation of repairs and consistent answer can be done by considering 
the disjunctive program modified as above. 

Example 10. Consider the referential constraint VX [emp{X) D 3Yss#{X,Y)] 
stating that every employee must have a social security number and the database 
D = {emp{a), emp{b), ss#(a, 1)}. From the rewriting of the integrity constraint, 
after the elimination of redundant literals, we get the rule 

V 2 : -^empd(X) V ss#d(X, ±) ^ emp(X), not ss#l(X). 

where ss#l is defined by the rule 

ri : ss#l(X) ^ ss#{X,Y) 

The output program P consists of the rules r\ and V 2 • The program Pjj has two 
stable models Mi = DU{ss#l{a),^empd{b)} and M 2 = DU{ss#l{a), ss#d{b, T )}. 

From the two models we derive the two repairs R{Mi) = (0, {emp(6)}) and 
R{M 2 ) = {{ss#{b, T)}, 0) which produce, respectively, the two repaired database 
Di = {emp(a), ss#(o, 1)} and D 2 = {emp(a), emp(6), ss#(a, 1), ss#(6, T)}. 

The answer to a query (emp, 0) contains the only fact emp{a) whereas the 
answer to the query (ss#, 0) contains the only fact ss#(a, 1). The atoms emp{b) 
and ss#(6, T) are undefined. 



5.2 Partially Defined Answers 

In the framework introduced in the previous section we have assigned to every 
ground atom a truth value. Here we extend our framework and also consider 
partially defined atoms, i.e. atoms with ‘unknown’ attributes. 

Given two ground atoms A = p(fi, ...,tn) and B = p(mi, ..., u„) we say that 
A subsumes B (written A < B) ii \/i either ti = Ui or ti =T. Given two set of 
ground atoms S\ and S' 2 , S\ subsumes S 2 (written Si ^ S 2 ) if VH G S 2 3A G Si 
s.t. A^ B and VA G Si 3B G S 2 s.t. A ^ B. 

Given a set of sets of ground atoms S and a set of ground atoms T we say 
that T approximates S (written T C S') if for each Si G S is T :< Si. Moreover, 
we say that T is the maximal approximation of S if T C S and there is no set 
U such that S < U T . For instance, the maximal approximation of {p{a,b)} 

and {p{a,d),p{c,b)} is {p{a, ±),p{±,b)}. 

Let D be a database, TC a set of constraints and S the set of stable models of 
CP{2C)d- Let N be the maximal approximation of S (clearly PlMeS-^ — 
Then, the set of partially defined atoms which are true, false and undefined are: 
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1. IC{D)+ = { p{t) G Z? I G SM{CV{IC)d) S.t. ^pd{t) G M } U 

{ p\t) ^ D I pd{t) € N }, 

2. IC{D)~ = { p{t) ^ D I G SM{CV{IC)d) s.t. pd{t) G M } U 

{ p{t) G D I VM G SM{CV{IC)d) s.t. ^pd{t) G M }, 

3. TC{DY = { p{t) I 3Mi,M2 G SM{CrllC)D) s.t. pd{t) G Mi and 

~^Pd[t) G M 2 }. 

Definition 9. Given a database D, a set of integrity constraints 2C and a query 
Q = The generalized consistent answer for the query Q = {g,V) over the 

database D is 

Q{D,1C)+ = { g{f) G D I ^M G SM{P \J CV {TC) d) s.t ^gdff) G M }U 
{ 9 ( 1 ) ^ T) I gd{t) G N {the max. approx, of SM{{P U CV{2 C))d)) }• 
Q{D,lCy = { g{t) ^D\ ^M G SM{P \J CV {1C) d) s.t ^gd{f) G M }U 
{ g{t) G D I gd{t) G N {the max. approx, of SM{{P U CV{1 C))d)) }• 

Example 11. Consider the database D = {p{ci,pi),p{c2,P2),p{c2,pY)} of Ex- 
ample 1 with the integrity constraint VX [ p{X,Y),p{X, Z) D Y = Z ]. The 
disjunctive program derived from the integrity constraint has two stable models 
Ml = D LI {^p{c 2 ,P 2 )} and M 2 = D L {^p{c 2 ,P 3 )}. The best approximation 
of Ml and M 2 is D U {^p(c 2 ,T)}. The set of positive atoms contains p{ci,pi) 
and p(c 2 , T). Thus, we know that C 2 is a course but the professor teaching that 
course is unknown. 

Observe that partially defined tuples generalizes knowledge of undefined atoms. 
For the database of Example 1, we have derived that the facts p{c 2 ,P 2 ) and 
p{c 2 ,pz) are undefined. By using partially defined atoms, we add the knowledge 
that C 2 is a course. 

6 Related Work 

The problem of managing inconsistent databases has been deeply investigated 
in the last few years, mainly in the areas of databases and artificial intelligence. 

Agarwal et al. proposed an extention of relational algebra, called fdxible al- 
gebra, to deal with inconsistent data [1]. The flexible algebra extends relational 
algebra through the introduction of fdxible relations , i.e. non INF relations that 
contain sets of non-key attributes. Their technique only considers constraints 
defining functional dependencies. However, flexible algebra is sound only for the 
class of databases having only dependencies determined by the primary key. 
An extention of flexible algebra for other keys functional dependencies, called 
integrated relational calculus, was proposed by Dung [6]. 

An alternative approach, taking the disjunction of the maximal consistent 
subsets of the union of the databases, has been proposed in [3]. For instance, 
assuming that there are two sources containing respectively p{a, c) and p{a, b) 
where the first argument is a key, the solution is to store p{a, b)\/p{a, c). A refine- 
ment of this technique has been presented in [20] were it was proposed to take 




Querying Inconsistent Databases 323 



into account the majority view of the knowledge bases. A different framework, 
based on annotated logic programming, was introduced in [23]. 

An interesting technique has been recently proposed in [5] . This technique is 
based on the computation of an equivalent query (Q) derived from the source 
query Q. The definition of T^iQ) is based on the notion of residue developed 
in the context of semantic query optimization. A classical example is showed 
below. 

Example 12. [5] For the constraint of Example 2 with the query goal Class{Z, 
t), the technique proposed in [5] generates, first, the association: 

Class{Z, W) — > Class{Z, W){i{X, Y){^Supply{X, Y, Z)y W ^ ty X = ci). 

so that if a query Q = Class{Z,t) is submitted, it is generated a new query 
Tw{Q) = Tin{Class{Z,t)) equal to: 

{Class{Z, t), Class{Z, t) A V(A, Y){^Supply{X, Y, Z) \l X = ci)}. 

The evaluation of Tyj{Q) produces the unique consistent answer Z = ii. 

This technique has been showed to be complete for universal binary integrity 
constraints and universal quantified queries. A binary integrity constraints is of 
the form: VA(i?i V i ?2 V where Bi, B 2 are literals and (f> is a conjunctive 

formula. The following example shows a case where the technique proposed in 
[5] is not complete. 

Example 13. Consider the integrity constraint V(A, T, Z) \p{X,Y) Ap{X,Z) 
DY = X] and the database D = {p{a, b),p{a, c)} and the query Q = 3Up{a, U) 
(we are using here the formalism used in [5]). The technique proposed in [5] 
generate the new query Tyj{Q) = 3U[p{a,U) A VZ(^p(a, Z) \J Z = U)]. which 
Tw{Q) is not satisfied, thus contradicting the expected answer which is true. 

In our framework the query Q can be expressed as (pl,P) where P consists 
of the rule 

ri : pl{X)^p{X,U),X = a. 

whereas the constraint produces the following generalized disjunctive rule 

-^PdiX, Y) V pd{X, Z) ^ (p(A, Y) V pd{X, Y)), (p(A, Z) V pd{X, Z)),Y ^ Z. 

which can rewritten into the simpler form 

r2 : ^pd{X,Y)y pd{X,Z) ^ p{X,Y),pt^X,Z),Y ^ Z. 

The program where P = {ri,r 2 }, has two stable models Mi = D U 
{^Pd{a,c),pl{a)} and M 2 = D U {^pd{a,b),pl{a)}. The set of true facts is 
{pi (a)} and, therefore, the answer to the query consists of the fact pi (a). 

Thus, our technique is more general of the technique proposed in [5]. We 
conclude by mentioning that a simple prototype has been implemented on the 
top of the system dlv [15]. 
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An interesting technique has been recently proposed in [5] . This technique is 
based on the computation of an equivalent query (Q) derived from the source 
query Q. The definition of T^iQ) is based on the notion of residue developed in 
the context of semantic query optimization. 

This technique has been showed to be complete for universal binary integrity 
constraints and universal quantified queries. A binary integrity constraints is of 
the form VA(i?i V i ?2 V (j>), where Bi, B 2 are literals and (f> is a conjunctive 
formula. Our technique for universally quantified dependencies is complete and, 
therefore, more general. These results can be easily extended to more general 
classes of constraints. We conclude by mentioning that a simple prototype has 
been implemented on the top of the system dlv [15]. 



7 Conclusions 

The paper has proposed a technique for querying inconsistent databases. The 
technique is based on the use of disjunctive programs and stable model seman- 
tics. Our technique is sound and complete and more general than previous pro- 
posed techniques. We are currently investigating the identification of classes of 
constraints which permit an efficient computation (this is also one of most inter- 
esting topics currently investigated in disjunctive databases and nonmonotonic 
reasoning areas) . Another interesting issue is the extension of the framework to 
allow users to specify preferences on the insertion or deletion of atoms and on the 
source information (in the case of inconsistencies derived from the integration of 
multiple information sources). 



References 

1 . S.Argaval, A.M. Keller, G.Wiederhold, and K. Saraswat. Flexible Relation: an Ap- 
proach for Integrating Data from Multiple, Possibly Inconsistent Databases. In IEEE 
Int. Conf. on Data Engineering, 1995. 310, 322 

2. Bry, F., Query Answering in Information System with Integrity Constraints, In IFIP 
WG 11.5 Working Conf. on Integrity and Control in Inform. System, 1997. 310 

3. C. Baral, S. Kraus, J. Minker, Combining Multiple Knowledge Bases. lEEE-Trans. 
on Knowledge and Data Engineering, 3(2): 208-220 (1991) 310, 322 

4. C. Baral, S. Kraus, F. Minker, V. S. Subrahmanian, Combining Knowledge Bases 
Consisting of First Order Theories. ISMIS 1991: 92-101. 310 

5. M. Arenas, L. Bertossi, J. Chomicki Consistent Query Answers in Inconsistent 
Databases. Proc. PODS 1999, pp. 68-79, 1999. 309, 309, 310, 310, 323, 323, 323, 
323, 323, 323, 323, 324 

6. P. M. Dung, Integrating Data from Possibly Inconsistent Databases. Proc. Int. Conf. 
on Cooperative Information Systems, 1996: 58-65 310, 322 

7. T. Eiter, G. Gottlob and H. Mannila, Disjunctive Datalog, ACM Transactions on 
Database Systems, 22(3):364-418, 1997 

8. Fernandez, J. A., and Minker, J. Computing perfect models of disjunctive stratified 
databases. In Proc. ILPS’91 W. on Disj. Logic Progr., pp. 110-117, 1991. 




Querying Inconsistent Databases 325 



9. Gelfond, M., Lifschitz, V. The Stable Model Semantics for Logic Programming, in 
Proc. of Fifth Conf. on Logic Programming, pp. 1070-1080, 1988. 311 

10. Gelfond, M. and Lifschitz, V. (1991), Classical Negation in Logic Programs and 
Disjunctive Databases, New Generation Computing, 9, 365-385. 311, 312 

11. S. Greco, D. Sacca, Negative Logic Programs, in North American Conference on 
Logic Programming, pages 480-497, 1990. 312 

12. Greco, S., Binding Propagation in Disjunctive Databases, Proc. Int. Conf. on Very 
Large Data Bases, 1997. 

13. Greco, S., Minimal founded semantics for disjunctive logic programming, Int. Conf. 
on Logic Programming and Nonmonotonic Reasoning, 1999. 

14. J. Grant, V. S. Subrahmanian: Reasoning in Inconsistent Knowledge Bases. lEEE- 
Trans. on Knowledge and Data Eng., 7(1): 177-189 (1995) 310 

15. Eiter T., N. Leone, C. Mateis, G. Pfeifer and F. Scarcello. A Deductive System for 
Non-monotonic Reasoning. Proc. LPNMR Conf., 1997. 363-374. 323, 324 

16. R. A. Kowalski, F. Sadri, Logic Programs with Exceptions. New Generation Com- 
puting, Vol. 9, No. 3/4, pages 387-400, 1991. 312 

17. J. Lin, A Semantics for Reasoning Consistently in the Presence of Inconsistency. 
Artificial Intelligence 86(1): 75-95 (1996). 310 

18. J. Lin, Integration of Weighted Knowledge Bases. Artificial Intelligence 83(2): 363- 
378 (1996) 310 

19. J. Lin, A. O. Mendelzon, Merging Databases Under Constraints. Int. Journal of 
Cooperative Information Systems 7(1): 55-76 (1998) 309, 310 

20. J. Lin, A. O. Mendelzon, Knowledge Base Merging by Majority, in R. Pareschi and 
B. Fronhoefer (eds.). Dynamic Worlds, Kluwer, 1999. 310, 322 

21. Minker, J. On Indefinite Data Bases and the Closed World Assumption, Proc. 6-th 
Conf. on Automated Deduction, pp. 292-308, 1982. 311 

22. J.M. Nicolas, Logic for Improving Integrity Checking in Relational Data Bases. 
Acta Informatica, No. 18, pages 227-253, 1982. 309 

23. V.S. Subrahmanian, Amalgamating Knowledge Bases. TODS 19(2): 291-331 (1994) 
310, 323 

24. J.K. Ullman, Principles of Database and Knowledge-Base Systems, Vol. 1, Com- 
puter Science Press, Rockville, Md., 1988. 315 




How to Decide Query Containment under Constraints 
Using a Description Logic 



Ian Horrocks^, Ulrike Sattler^, Sergio Tessaris^, and Stephan Tobies^ 

^ Department of Computer Science, University of Manchester, UK 
^ LuFg Theoretical Computer Science, RWTH Aachen, Germany 



Abstract. We present a procedure for deciding (database) query containment 
under constraints. The technique is to extend the logic T>CJZ with an ABox, and 
to transform query subsumption problems into T>CTZ ABox satisfiability prob- 
lems. Such problems can then be decided, via a reification transformation, using 
a highly optimised reasoner for the STilQ description logic. We use a simple ex- 
ample to support our hypothesis that this procedure will work well with realistic 
problems. 



1 Introduction 

Query containment under constraints is the problem of determining whether the result 
of one query is contained in the result of another query for every database satisfying a 
given set of constraints (derived, for example, from a schema). This problem is of par- 
ticular importance in information integration (see [10]) and data warehousing where, 
in addition to the constraints derived from the source schemas and the global schema, 
inter- schema constraints can be used to specify relationships between objects in differ- 
ent schemas (see [6]). 

In [12], query containment without constraints was shown to be NP-complete, and a 
subsequent analysis identified cycles in queries as the main source of complexity [13]. 
Query containment under different forms of constraints have, e.g., been studied in [23] 
(containment w.r.t. functional and inclusion dependencies) and [11, 24] (containment 
w.r.t. is-a hierarchies). 

Calvanese et al. [4] have established a theoretical framework using the logic VCTZ,^ 
presented several (un)decidability results, and described a method for solving the de- 
cidable cases using an embedding in the propositional dynamic logic CPDLg [17, 15]. 
The importance of this framework is due to the high expressive power of VCTZ, which 
allows Extended Entity-Relationship (EER) schemas and inter-schema constraints to be 
captured. However, the embedding technique does not lead directly to a practical deci- 
sion procedure as there is no (known) implementation of a CPDLg reasoner. Moreover, 
even if such an implementation were to exist, similar embedding techniques [14] have 
resulted in severe tractability problems when used, for example, to embed the SUXT 
description logic in SHT by eliminating inverse roles [18]. 

* Set semantics is assumed in this framework. 

M. Parigot and A. Voronkov (Eds.); LPAR 2000, LNAI 1955, pp. 326-343, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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In this paper we present a practical decision procedure for the case where neither 
the queries nor the constraints contain regular expressions. This represents a restric- 
tion with respect to the framework described in Calvanese et ah, where it was shown 
that the problem is still decidable if regular expressions are allowed in the schema and 
the (possibly) containing query, but this seems to be acceptable when modelling clas- 
sical relational information systems, where regular expressions are seldom used [7, 6]. 
When excluding regular expressions, constraints imposed by EER schemas can still be 
captured, so the restriction (to contain no regular expressions) is only relevant to inter- 
schema constraints. Hence, the use of VCTZ in both schema and queries still allows for 
relatively expressive queries, and by staying within a strictly first order setting we are 
able to use a decision procedure that has demonstrated good empirical tractability. 

The procedure is based on the method described by Calvanese et ah, but extends 
T>CTZ by defining an ABox, a set of axioms that assert facts about named individuals 
and tuples of named individuals (see [5]). This leads to a much more natural encoding 
of queries (there is a direct correspondence between variables and individuals), and 
allows the problem to be reduced to that of determining the satisfiability of a VCTZ 
knowledge base (KB), i.e., a combined schema and ABox. This problem can in turn 
be reduced to a KB satisfiability problem in the STCIQ description logic, with n-ary 
relations reduced to binary ones by reification. In [24], a similar approach is presented. 
However, the underlying description logic (ACCAfTZ) is less expressive than VCTZ and 
STCIQ (for example, it is not able to capture Entity-Relationship schemas). 

We have good reasons to believe that this approach represents a practical solution. 
In the FaCT system [18], we already have an (optimised) implementation of the de- 
cision procedure for STCIQ schema satisfiability described in [21], and using FaCT 
we have been able to reason very efficiently with a realistic schema derived from the 
integration of several Extended Entity-Relationship schemas using VCR. inter-schema 
constraints (the schemas and constraints were taken from a case study undertaken as 
part of the Esprit DWQ project [7, 6]). In Section 4, we use the FaCT system to demon- 
strate the empirical tractability of a simple query containment problem with respect to 
the integrated DWQ schema. FaCT’s schema satisfiability algorithm can be straight- 
forwardly extended to deal with ABox axioms (and thus arbitrary query containment 
problems) [22], and as the number of individuals generated by the encoding of realistic 
query containment problems will be relatively small, this extension should not compro- 
mise empirical tractability. 

Most proofs are either omitted or given only as outlines in this paper. For full details, 
please refer to [20] . 



2 Preliminaries 



In this section we will (briefly) define the key components of our framework, namely 
the logic VCR, (conjunctive) queries, and the logic STCIQ. 
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2.1 The Logic 'DCT^ 

We will begin with VCTZ as it is used in the definition of both schemas and queries. 
T>CTZ is a description logic (DL) extended with the ability to describe relations of any 
arity. It was first introduced in [9]. 

Definition 1. Given a set of atomic concept names NC and a set of atomic relation 
names NR, every C € NC w a concept and every R G NR w a relation, with every R 
having an associated arity. If C, D are concepts, R,S are relations of arity n, i is an 
integer 1 ^ i ^ n, and k is a non-negative integer, then 

T, ~^C, Cud, (< are VCR concepts, and 

T„, ~^R, RnS, {%i/n : C) are VCR relations with arity n. 

Relation expressions must be well-typed in the sense that only relations with the same 
arity can be conjoined, and in constructs like the value of i must be less than or 

equal to the arity ofR. 

The semantics of VCR is given in terms of interpretations X = -^), where Tff 

is the domain ( a non-empty set), and ^ is an interpretation function that maps every 
concept to a subset of and every n-ary relation to a subset of (A^)^ such that the 
following equations are satisfied denotes set cardinality). 

(C n D)^ = c^nv^ 

= {de \3{di,...,d„) e R^.di = d} 

{<k[%i]Rj^ = {d£ A^ \'){{du...,d„) : di = d]<k] 

Tj C R^ C 

{-,Kf = T„^ \R^ (/f n S)^ =R^r\S^ 

{%i/n : C)^ = {(di, . . . , d„) G | di G C^} 

Note that T„ does not need to be interpreted as the set of all tuples of arity n, but 
only as a subset of them, and that the negation of a relation R with arity n is relative to 

T„. 

In our framework, a schema consists of a set of logical inclusion axioms expressed 
in VCR. These axioms could be derived from the translation into VCR of schemas 
expressed in some other data modelling formalism (such as Entity-Relationship mod- 
elling [3, 8]), or could directly stem from the use of VCR to express, for example, 
inter-schema constraints to be used in data warehousing, (see [6]). 

Definition 2. A VCR schema S is a set of axioms of the form C D and /? C S, 
where C, D are VCR concepts and R, S are VCR relations of the same arity; an 
interpretation 2 satisfies C Q D iff C , and it satisfies R\A S ijfR^ C . An 
interpretation 2 satisfies a schema S iff 2 satisfies every axiom in S. 

Crucially, we extend VCR to assert properties of individuals, names representing 
single elements of the domain. An ABox is a set of axioms asserting facts about indi- 
viduals and tuples of individuals. 
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Definition 3. Given a set of individuals Nl, a 'DCTZ ABox A is a set of axioms of the 
form w:C and w:R, where C is a concept, R is a relation ofarity n, w is an individual 
and w is an n-tuple (wi, . . . , Wn) such that w\, . . . , Wn are individuals. We will often 
write Wi to refer to the ith element of an n-tuple w, where 1 ^ z ^ n. 

Additionally, the interpretation function A maps every individual to an element of 
A? and thus also tuples of individuals to tuples of elements of A? . An interpretation I 
satisfies an axiom w:C ijf uP' £ , and it satisfies an axiom w:R iff £ R^ . An 

interpretation X satisfies an ABox A iffX satisfies every axiom in A. 

A knowledge base (KB) 1C is a pair {S, A), where S is a schema and A is an ABox. 
An interpretation X satisfies a KB 1C iff it satisfies both S and A 

If an interpretation X satisfies a concept, axiom, schema, or ABox X, then we say 
thatX is a model of X, call X satisfiable, and write X \= X. 

Note that it is not assumed that individuals with different names are mapped to 
different elements in the domain (the so-called unique name assumption). 

Definition 4. If 1C is a KB, X is a model of 1C, and A is an ABox, then X' is called 
an extension ofX to A iffX' satisfies A, = A? , and all concepts, relations, and 
individuals occuring in 1C are interpreted identically by X and X' . 

Given two ABoxes A, A! and a schema S, A is included in A! w.r.t. S (written 
{S, A) \^A') iff every model X of {S, A) can be extended to A! . 

2.2 Queries 

In this paper we will focus on conjunctive queries (see [1, chap. 4]), and describe only 
briefly (in Section 5) how the technique can be extended to deal with disjunctions of 
conjunctive queries (for full details please refer to [20]). A conjunctive query q is an 
expression 

q{x) ^ termi{x, y, c) A . . . A ferm„(a;, y, c) 

where x, y, and c are tuples of distinguished variables, variables, and constants, re- 
spectively (distinguished variables appear in the answer, “ordinary” variables are used 
only in the query expression, and constants are hxed values). Each term termfix, y, c) 
is called an atom in q and is in one of the forms C{w) or R(tn), where w (resp. w) is 
a variable or constant (resp. tuple of variables and constants) in x, y or c, C is a T>CTZ 
concept, and R is a T>CTZ relation.^ 

For example, a query designed to return the bus number of the city buses travelling 
in both directions between two stops is: 

BUS( nr) ^ bus_route(nr, stopi, stop 2 ) A bus_route(nr, stop 2 , stopi) A city_bus(nr) 

where nr is a distinguished variable (it appears in the answer), stopi and stop 2 are non- 
distinguished variables, city.bus is a T>CTZ concept and bus_route is a T>CTZ relation. 

^ The fact that these concepts and relations can also appear in the schema is one of the distin- 
guishing features of this approach. 
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In this framework, the evaluation q{T) of a query q with n distinguished variables 
w.r.t. a T>CTZ interpretation X (here perceived as standard FO interpretation) is the set 
of n-tuples d G (A^)" such that 

X ^ 3y.termi{d, y,c) A . . . A termn{d, y, c). 

As usual, we require unique interpretation of constants, i.e., in the following we will 
only consider those intepretations X with ^ (f for any two constants d. K query 
q{x) is called satisfiable w.r.t a schema S iff there is an interpretation X with X \= S 
and q(X) 7 ^ 0. A query qi(x) is contained in a query q 2 {x) w.r.t. a schema S (written 
5 1= gi C q 2 ), iff, for every model X of S, qi{X) C q 2 {X). Two queries qi, <72 are called 
equivalent w.r.t. 5 iff 5 |= C 52 and 5 ^ <72 E 9i- 
For example, the schema containing the axioms 

(bus_routen ($1/3 : city_bus)) E city _bus .route 

city_busj"oute C (busj'outen ($1/3 : city.bus)), 

states that the relation city.busj'oute contains exactly the busj"oute information that 
concerns city buses. It is easy to see that the following CITYJ3US query 

CITY_BUS(nr) ^ city_busj-oute(nr, stopi, stop 2 ) Acity_busj-oute(nr, stop 2 , stopi) 

is equivalent to the previous BUS query w.r.t. the given schema. In an information inte- 
gration scenario, for example, this could be exploited by reformulating the BUS query 
as a CITYJ3US query ranging over a smaller database without any loss of information. 

2.3 The Logic SHIQ 

STiXQ is a standard DL, in the sense that it deals with concepts and (only) binary 
relations (called roles), but it is unusually expressive in that it supports reasoning with 
inverse roles, qualifying number restrictions on roles, transitive roles, and role inclusion 
axioms. 

Dehnition 5. Given a set of atomic concept names NC and a set of atomic role names 
NR with transitive role names NR.|_ CNR, every C G NC A a concept, every i? € NR 
is a role, and every R G NR+ is a transitive role. If R is a role, then R~ is also a role 
(and if R G NR_|_ then R~ is also a transitive role). If S is a (possibly inverse) role, 
C, D are concepts, and k is a non-negative integer, then 

T, ~^C, Cud, 3S.C, ^kS.C are also SHXQ concepts. 

The semantics of SHXQ is given in terms of interpretations X = {Af- , where A^ 
is the domain ( a non-empty set), and is an interpretation function that maps every 
concept to a subset of A? and every role to a subset of {A?)^ such that the following 
equations are satisfied. 

= A^ {3S.C)^ = {d I 3d'.{d, d') G and d' G C^} 

= A^\C^ {^kS.C)^ = {d I (){d' : (d, d') G and d' G C^} ^ k} 
{CnD)^ = C^nD^ R^ = {R^)+ for all R G NR+ 

{R-)^ = {{d',d) I {d,d') G R^} 
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STiXQ schemas, ABoxes, and KBs are defined similarly to those for 'DCTZ: if C, D 
are concepts, R, S are roles, and v, w are individuals, then a schema S consists of 
axioms of the form C Q D and R Q S, and an ABox A consists of axioms of the form 
w:C and (v, w):R. Again, a KB 1C is a pair {S, A), where S is a schema and A is an 
ABox. 

The definitions of interpretations, satisfiability, and models also parallel those for 
'DCTZ, and there is again no unique name assumption. 

Note that, in order to maintain decidability, the roles that can appear in number 
restrictions are restricted [21]: if a role S occurs in a number restriction ^kS.C, then 
neither S nor any of its sub roles may be transitive (i.e., if the schema contains a C-path 
from S' to S, then S' is not transitive). 

3 Determinin g Query Containment 

In this section we will describe how the problem of deciding whether one query is 
contained in another one w.r.t. a DCTZ schema can be reduced to the problem of de- 
ciding KB satisfiability in the STCIQ description logic. There are three steps to this 
reduction. Firstly, the queries are transformed into VCTZ ABoxes A\ and A 2 such that 
S \= qi Q q 2 iff (5, A\)\^A 2 (see Definition 4). Secondly, the ABox inclusion prob- 
lem is transformed into one or more KB satisfiability problems. Finally, we show how 
a T>CTZ KB can be transformed into an equisatisfiable STCIQ KB. 

3.1 Transforming Query Containment into ABox Inclusion 

We will first show how a query can be transformed into a canonical VCTZ ABox. Such 
an ABox represents a generic pattern that must be matched by all tuples in the evaluation 
of the query, similar to the tableau queries one encounters in the treatment of simple 
query containment for conjunctive queries [1]. 

Definition 6. Let q be a conjunctive query. The canonical ABox /or q is defined by 

Aq = {w.R I R{w) is an atom in q} U {w:C \ C{w) is an atom in qj. 

We introduce a new atomic concept for every individual w in A and define the 
completed canonical ABox for q by 

Aq = AqC {w.Pw I w occurs in Aq} U {wp.^Pwj I Wi, Wj constants in q and i j}. 

The axioms w.Pw in Aq introduce representative concepts/or each individual w in 
Aq. They are used (in the axioms Wi'.^Pwj) to ensure that individuals corresponding to 
different constants in q cannot have the same interpretation, and will also be useful in 
the transformation to KB satisfiability. 

By abuse of notation, we will say that an interpretation I and an assignment p of 
distinguished variables, non-distinguished variables and constants to elements in the 
domain of I such that I [= p(g) define a model for Aq with the interpretation of the 
individuals corresponding with p and the interpretation P(^ = {irP'}. 




332 



Ian Horrocks et al. 



We can use this definition to transform the query containment problem into a (very 
similar) problem involving VCTZ ABoxes. We can assume that the names of the non- 
distinguished variables in <72 differ from those in qi (arbitrary names can be chosen 
without affecting the evaluation of the query), and that the names of distinguished vari- 
ables and constants appear in both queries (if a name is missing in one of the queries, it 
can be simply added using a term like T (u)). 

The following Theorem shows that a canonical ABox really captures the structure 
of a query, allowing the query containment problem to be restated as an ABox inclusion 
problem. 

Theorem 1 Given a schema S and queries q\ and <72. S \= qi Q q2 ijf {S, Aq-^)\nAq^. 

Before we prove Theorem 1 , note that, in general, this theorem no longer holds if 
we replace Aq^ by Aq^ . Let 5 be a schema and <71 , (72 be two queries such that qi is 
satisfiable w.r.t. S and 52 contains at least one non-distinguished variable z. Then the 
completion Aq^ contains the assertion z'.Pz where is a new atomic concept. Since 
qi is satisfiable w.r.t. S and P^ does not occur in S or <71 , {S, Aq^ ) has a model I with 
Pj = 0 . Such a model I cannot be extended to a model I' of Aq^ because there is 
no possible interpretation for z that would satisfy z^ G Pj . Hence, {S, Aq-^ ) ^^Aq^ 
regardless of whether S \= qi Q q2 holds or not. In the next section we will see how 
to deal with the non-distinguished individuals in Aq^ without the introduction of new 
representative concepts. 

Proof of Theorem 1 : For the if direction, assume S ^ qi Q (72. Then there exists 
a model X of 5 and a tuple {di, . . . , dn) G such that (rfi, . . . , dn) G <71 (X) 

and ((fi, . . . , dn) ^ 92(21). X and the assignment of variables leading to (di, . . . , <i„) 
define a model for Aq^. If could be extended to satisfy Aq^, then the extension 
would correspond to an assignment of the non-distinguished variables in <72 such that 
{di, . . . ,dn) G <72(21), thus contradicting the assumption. 

For the only if direction, assume there is a model X of both S and Aq-^^ that cannot 
be extended to a model of Aq^. Hence there is a tuple (<ii, . . . , dn) G <71 (X) and a 
corresponding assignment of variables that dehne X. If there is an assignment of the 
non-distinguished variables in 52 such that {di, ... ,dn) G <72(21), then this assignment 
would define the extension of X such that Aq2 is also satisfied. □ 



3.2 Transforming ABox Inclusion into ABox Satisfiability 

Next, we will show how to transform the ABox inclusion problem into one or more KB 
satisfiability problems. In order to do this, there are two main difficulties that must be 
overcome. The first is that, in order to transform inclusion into satisfiability, we would 
like to be able to “negate” axioms. This is easy for axioms of the form w:C, because an 
interpretation satisfies w.^C iff it does not satisfy w:C. However, we cannot deal with 
axioms of the form m:R in this way, because 'DCTZ only has a weak form of negation 
for relations relative to T„. Our solution is to transform all axioms in Aq.^ '^he form 
w.C. 
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The second difficulty is that Aq^ may contain individuals corresponding to non- 
distinguished variables in <72 (given the symmetry between queries and ABoxes, we 
will refer to them from now on as non-distinguished individuals). These individuals 
introduce an extra level of quantification that we cannot deal with using our standard 
reasoning procedures: (5, Aq^ ) \^Aq 2 iff for all models X of {S, Aq-^^ ) there exists some 
extension of X to Aq 2 ■ We deal with this problem by eliminating the non-distinguished 
individuals from Aq^ ■ 

We will begin by exploiting some general properties of ABoxes that allow us to 
compact Aq^ so that it contains only one axiom w:R for each tuple w, and one axiom 
w:C for each individual w that is not an element in any tuple. It is obvious from the 
semantics that we can combine all ABox axioms relating to the same individual or tuple: 
X \= {w:C, w:D} (resp. {m:R, w:S}) iff X ^ {w:{C □ D)} (resp. {m:(R FI S)}). The 
following lemma shows that we can also absorb wp.C into m:R when Wi is an element 
of w. 

Lemma 1 Let Abe a T>CTZ ABox with {wp-C^ w:R} C A, where Wi is the ith element 
in w. Then X A iffX \= {w:{R □ $z : C)} U ^ \ {wf.C, w:R}. 

Proof: From the semantics, if e (R n : C)^, then e R^ and wf G C^, and 
if wf e and G R^, then G (R H $i : C)^ . □ 

The ABox resulting from exhaustive application of Lemma 1 can be represented as 
a graph, with a node for each tuple, a node for each individual, and edges connecting 
tuples with the individuals that compose them. The graph will consist of one or more 
connected components, where each component is either a single individual (represent- 
ing an axiom w:C, where w is not an element in any tuple) or a set of tuples linked 
by common elements (representing axioms of the form w:R). As the connected com- 
ponents do not have any individuals in common, we can deal independently with the 
inclusion problem for each connected set of axioms: {S, A)\^A! iff (5, A)\vQ for ev- 
ery connected set of axioms Q C As an example, Figure 1 shows the graph that 
corresponds to the ABox Aq^ from Example 1. 

Returning to our original problem, we will now show how we can collapse a con- 
nected component Qhy a graph traversal into a single axiom of the form w:C, where w 
is an element of a tuple occurring in Q (an arbitrarily chosen “root” individual), and C 
is a concept that describes Q from the point of view of w. An example for this process 
will be given later in this section. 

This would be easy if we were able to refer to individuals in C (i.e., if our logic 
included nominals [25]), which is not the case. Flowever, as we will see, it is sufficient 
to refer to the distinguished individuals Wi in Q (which also occur in Aq ^ ) by their rep- 
resentative concepts . Moreover, we can refer to non-distinguished individuals Zi 
by using T as their representative concept (this is only valid for Zi that are encountered 
only once during the traversal of Q, but we will see later that we can, without loss of 
generality, restrict our attention to this case). Informally, the use of T as the represen- 
tative concept for such Zi can be justified by fhe fact that when an interpretation X is 
extended to Q, zt can be interpreted as any element in (= T^).^ 

^ For full details, the reader is again referred to [20]. 
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The following lemma shows how we can use the representative concepts to trans- 
form an axiom of the form w:R into an axiom of the form wf.C. 

Lemma 2 If S is a schema, A is a completed canonical ABox and A! is an ABox 
with w.R G A', then iff {S,A)\^{{wi:C} U A' \ {w:R}), where w = 

{wi , . . . , Wn), Wi is the ith element in w, C is the concept 

[~] ($j/n:Pj)), 

and Pj is the appropriate representative concept for wj (T ifwj is a non-distinguished 
individual, P^j otherwise). 

Proof (sketch); For the only if direction, it is easy to see that, if X |= {S, Aqf), and I' 
is an extension of I that satisfies w.R, then X’ also satisfies wp.C. 

The converse direction is more complicated, and exploits the fact that, for every 
model X of {S, Aqf), there is a similar model X' in which every representative concept 
Puji is interpreted as {wf }. If X cannot be extended to satisfy w.R, then neither can 
X' , and, given the interpretations of the P^^, it is possible to show that X' cannot be 
extended to satisfy wp.C either. □ 

All that now remains is to choose the order in which we apply the transformations 
from Lemma 1 and 2 to the axioms in Q, so that, whenever we use Lemma 2 to trans- 
form w.R into Wi'.C, we can then use Lemma 1 to absorb wp.C into another axiom 
tuR, where wt is an element of v. We can do this using a recursive traversal of the 
graphical representation of Q (a similar technique is used in [4] to transform queries 
into concepts). A traversal starts at an individual node w (the “root”) and proceeds as 
follows. 

- At an individual node Wi, the node is first marked as visited. Then, while there 
remains an unmarked tuple node connected to Wi, one of these, w, is selected, 
visited, and the axiom w.R transformed into an axiom wp.C. Finally, any axioms 
wp.Ci, . . . ,Wi:Cn resulting from these transformations are merged into a single 
axiom WifCi □ . . . □ C„). 

- At a tuple node w, the node is first marked as visited. Then, while there remains 
an unmarked individual node connected to w, one of these, Wi, is selected, visited, 
and any axiom wp.C that results from the visit is merged into the axiom w.R using 
Lemma 1. 

Note that the correctness of the collapsing procedure does not depend on the traver- 
sal (whose purpose is simply to choose a suitable ordering), but only on the individual 
transformations. 

Having collapsed a component Q, we finally have a problem that we can decide 
using KB satisfiability: 

Lemma 3 IfS is a schema and A is a completed canonical ABox, then {S, A) 

iff w is an individual in A and {S, (A U {w:^^})) is not satisfiable, or w is not an 

individual in A and {{S U {T C ^C'}), A) is not satisfiable. 
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Proof (sketch); If w is an individual in A, {S, ^)|^{w:C} implies that every model 
X of {S, A) must also satisfy w:C, and this is true iff I does not satisfy w.^C. In the 
case where w is not an individual in A, a model I of (5, A) can be extended to {w:C} 
iff ^ 0, which is true iff ^ {-^Cf . □ 

If a non-distinguished individual Zi is encountered more than once during a traver- 
sal, then it is enforcing a co-reference that closes a cycle in the query. In this case we 
cannot simply use T to refer to it, as this would fail to capture the fact that Zi must be 
interpreted as the same element of A^ on each occasion. 

In [4] this problem is dealt with by replacing the non-distinguished variables oc- 
curring in a cycle in <72 with variables or constants from qi, and forming a disjunction 
of the concepts resulting from each possible replacement. This is justified by the fact 
that cycles cannot be expressed in the T>CTZ schema and so must be present in qi. 
However, this fails to take into account the fact that identifying two or more of the 
non-distinguished variables in <72 could eliminate the cycle. 

We overcome this problem by introducing an additional layer of disjunction in 
which non-distinguished individuals occurring in cycles are identified (in every pos- 
sible way) with other individuals occurring in the same cycle. We then continue as 
in [4], but only replacing those individuals that actually enforce a co-reference, i.e., that 
would be encountered more than once during the graph traversal."^ 

Example 1 To illustrate the inclusion to satisfiability transformation, we will refer to 
the example given in Section 2.2. The containment of BUS in CITY_BUS w.r.t. the 
schema is demonstrated by the inclusion (5, where S, A\ and A 2 are the 

schema and two canonical ABoxes (completed in the case of Ai) corresponding to the 
given queries: 

^ _ f (bus_routen ($1/3 : city_bus)) U city _bus .route, 1 
( city.busjoute C (busjoute □ ($1/3 : city.bus)) j 
Ai = i (n,t/i,?72):busj-oute, (n, t/ 2 , yi):busj-oute, n:city.bus, n:P„, , ?72:^’j/2 } 

-42 = { (n, zi, Z 2 ):city_busj-oute, (n, Z 2 , Zi):city_busj-oute } 

The two axioms in A 2 are connected, and can be collapsed into a single axiom using 
the described procedure. Figure 1 shows a traversal of the graph Q corresponding to Aq^ 
that starts at z\ and traverses the edges in the indicated sequence.^ The resulting axiom 
(describing A 2 from the point of view of zi) is Zi:C, where C is the concept 

3[$2](city_busj‘outen ( $3 : (Pz2n3[$2](city_busj‘outen$l : P„ □ $3 : PzJ))n $1 :P„) 
1 2 3 4 5 6 

, Pz 2 “place-holders” for Zi , Z 2 ® and the numbers below the VCTZ operators 
denote the edges which correspond to the respective subconcept of C. As Z 2 is encoun- 
tered only once in the traversal, can be replaced with T, but as Zi is encountered 

Note that the graph traversal must always start from the same root. 

^ We will ignore the first non-deterministic step as no individual identifications are required in 
order to prove the containment. 

® In practice, we use such “place-holders” during the collapsing procedure and then make ap- 
propriate (possibly non-deterministic) substitutions. 
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{n,zi,Z2) '■ city hus -route {n,Z2,zi) : city -bus .route 




Fig. 1. A traversal of the graph corresponding to Aq^ 



twice (as the root and as PzJ, it must be replaced (non-deterministically) with an in- 
dividual i occurring in A\ (we will refer to the resulting concepts as and thus 

(5, .4i) 1^.42 iff (5, .4i)|w{z:C[z^/j]}. Taking i = yi we have {S,Ai)\ii{yi\C[^^/y^]} 
because {S, {A\ U {j/i:^C'[zi/yi]})) is not satisfiable. 

Summing up, we thus have: 

Theorem 2 For a T>CTZ KB K, = {S, A) and a T>CTZ ABox A! , the problem of deciding 
whether A is included in A! w.r.t. S can be reduced to (possibly several) VCTZ ABox 
satisfiability problems. 

Concerning the practicability of this reduction, it is easy to see that, for any fixed 
choice of substitutions for the non-distinguished individuals in Q, the reduction from 
Theorem 2 can be computed in polynomial time. More problematically, it is neces- 
sary to consider each possible identification of non-distinguished individuals occuring 
in cycles in Q, and for each of these all possible mappings from the set Z of non- 
distinguished individuals that occur more than once in the collapsed Q to to the set 
W of individuals that occur in A\ (of which there are many). However, both 

Z and W will typically be quite small, especially Z which will consist only of those 
non-distinguished individuals that occur in a cycle in Q and are actually used to enforce 
a co-reference (i.e., to “close” the cycle). This represents a useful refinement over the 
procedure described in [4], where all Zi that occur in cycles are non-deterministically 
replaced with some Wi, regardless of whether or not they are used to enforce a co- 
reference. Moreover, it is easy to show that most individual identifications cannot con- 
tribute to the solution, and can thus be ignored. Therefore, we do not believe that this 
additional non-determinism compromises the feasibility of our approach. 

Interestingly, also in [13], cycles in queries are identified as a main cause for com- 
plexity. There it is shown that query containment without constraints is decidable in 
polynomial time for acyclic queries whereas the problem for possibly cyclic queries is 
NP-complete [12]. 
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3.3 Transforming 'DC'K Satisfiability into ST-LIQ Satisfiability 

We decide satisfiability of T>CTZ knowledge bases by means of a satisfiability-preserving 
translation <t( ) from VCR KBs to STHQ KBs. This translation must deal with the 
fact that VCR allows for arbitrary n-ary relations while STCIQ only allows for unary 
predicates and binary relations; this is achieved by a process called reification (see, 
for example [16]). The main idea behind this is easily described: each n-ary tuple in 
a I?£7^-interpretation is represented by an individual in a 57fXQ-interpretation that is 
linked via the dedicated functional relations /i to the elements of the tuple. 

For VCR without regular expressions, the mapping cr(-) (given by [4]) 



n) — n 

a(P) = P 

(r($z/n : C) = T„ n 3fi.a(C) 
cr(^R) = T„ n ^cr(R) 
cr(Ri n R2) = cr(Ri) n (t(R2) 



a(T) = Ti 
cr(A) = A 
a{^C) = -na(C) 
a(Ci n C 2 ) = a(Ci) n a(C 2 ) 
a{3[%z]R) = 3f-.a{R) 
a{< fc[$z]R) = {< k o-(R)) 



reifies VCR expressions into 57fXQ-concepts. This mapping can be extended to a 
knowledge base (KB) as follows. 

Definition 7. Let /C = (5, A) be a VCR KB. The reification of S is given by 



C a{R2)) I (Ri CR 2 ) G 5} U {(a(Ci) C <j(C2)) | (Ci C C 2 ) G 5}. 



To reify the ABox A, we have to reify all tuples appearing in the axioms. For each 
distinct tuple w = (wi, . . . ,w„) occurring in A, we chose a distinct individual t.u} 
(called the “reification ofw”) and define: 



a{w:R) = {t.u)'-0'{R)} U {{tw, Wi)'fi \ ^ i < n} and 
a{A) = [J {a{w.R) \ w.R G U {w:a{C) \ w.C G A}. 



VTe need a few additional inclusion and ABox axioms to guarantee that any model of 
(cr(5), o'{A)) can be “un-reified” into a model of{S, A). Let Umax denote the maximum 
arity of the VCR relations appearing in 1C. VTe define f{S) to consist of the following 
axioms (where x = y is an abbreviation for x Q y and y Q x): 



T = Ti U • • • U 

TE(<l/i)n... □(<!/„„) 
V/i.TEV/,+i.T 

Ti = 3/i.Ti n • • • n 3/,.Ti n V/,+i.T 
PET„ 

^ E Ti 



for2<i < n^ax 
for2<i < n,nax 

for each atomic relation P of arity n 
for each atomic concept A 



These are standard reification axioms, and can already be found in [4]. 

VTe introduce a new atomic concept far every individual w in A and define f{A) 
to consist of the following axioms: 

f{A) = {w.Qw I w occurs in ^}U 

{wi:^ 1 /f.(T„ n 3f2.Qw2 n . . . n 3/„.Q„„) | {wi, . . .,Wn) occurs in A} 
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These axioms are crucial when dealing with the problem of tuple-admissibility ( see 
below) in the presence ofABoxes. 

Finally, we define cr(IC) = {(cr(S) U f{S)), {o'{A) U f{A))). 



Theorem 3 Let K, = {S, A) be a T>CTZ knowledge-base. /C is satisfiable iff the SFCIQ- 
KB (j(/C) is satisfiable. 

Proof (sketch); The same techniques that were used in [2] can be adapted to the DL 
SFCIQ, and extended to deal with ABox axioms. The only-if direction is straightfor- 
ward. A model I of JC can be transformed into a model of a{JC) by introducing, for 
every arity n with 2 < n < rzmax and every n-tuple of elements d G (A^)", a new 
element td that is linked to the elements of d by the functional relations /i, If 

we interpret Ti by A^ , T„ by the reifications of all elements in T^, and, for every w 
that occurs in A, Qw by lA- , then it is easy to show that we have constructed a model 
of cr(/C). 

The converse direction is more complicated since a model of a{JC) is not necessarily 
tuple-admissible, i.e., in general there may be distinct elements t, t' that are reifications 
of the same tuple d. In the “un-reification” of such a model, d would only appear once 
which may conflict with assertions in the VCR. KB about the number of tuples in certain 
relations. However, it can be shown that every satisfiable KB a{JC) also has a tuple- 
admissible model. It is easy to show that such a model, by “un-reification”, induces a 
model for the original KB JC. □ 

We now have the machinery to transform a query containment problem into one or 
more SFCIQ schema and ABox satisfiability problems. In the FaCT system we already 
have a decision procedure for SFCIQ schema satisfiability, and this can be straightfor- 
wardly extended to deal with ABox axioms [22]. 

We have already argued why we believe our approach to be feasible. It should also 
be mentioned, that our approach matches the known worst-case complexity of the prob- 
lem, which was determined as ExpTiME-complete in [4]. Satisfiability of a SFCIQ-JAB 
can be determined in ExpTime.^ All reduction steps can be computed in determinis- 
tic polynomial time, with the exception of the reduction used in Theorem 2, which 
requires consideration of exponentially many mappings. Yet, for every fixed mapping, 
the reduction is polynomial, which yields that our approach decides query containment 
in ExpTime. 

4 The FaCT System 

It is claimed in Section 1 that one of the main benefits of our approach is that it leads 
to a practical solution to the query containment problem. In this section we will sub- 
stantiate this claim by presenting the results of a simple experiment in which the EaCT 

^ This does not follow from the algorithm presented in [22], which focuses on feasibility rather 
than worst-case complexity. It can be shown using a precompletion strategy similar to the one 
used in [26] together with the ExpTiME-completeness of CIQ [15]. 
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system is used to decide a query containment problem with respect to the DWQ schema 
mentioned in Section 1 . 

The FaCT system includes an optimised implementation of a schema satisfiability 
testing algorithm for the DL STCIQ. As the extension of FaCT to include the ABox 
satisfiability testing algorithm described in [22] has not yet been completed, FaCT is 
currently only able to test the satisfiability of a KB (5, A) in the case where the A 
contains a single axiom of the form w:C (this is equivalent to testing the satisfiability 
of the concept C w.r.t. the schema S). We have therefore chosen a query containment 
problem that can be reduced to a STCIQ KB satisfiability problem of this form using 
the methodology described in Section 3. 

The DWQ schema is derived from the integration of several Extended Entity-Re- 
lationship (EER) schemas using VCR. axioms to define inter-schema constraints [7]. 
One of the schemas, called the enterprise schema, represents the global concepts and 
relationships that are of interest in the Data Warehouse; a fragment of the enterprise 
schema that will be relevant to the query containment example is shown in Figure 2. A 
total of 5 source schemas representing (portions of) actual data sources are integrated 
with the enterprise schema using VCR. axioms to establish the relationship between 
entities and relations in the source and enterprise schemas (the resulting integrated 
schema contains 48 entities, 29 relations and 49 VCR. axioms). For example, one of 
the VCR axioms defining the relationship between the enterprise schema and the en- 
tity “Business-Customer” in the source schema describing business contracts is 

Business-Customer C (Company □ 3 [$ 1 ] (agreement □ 

($ 2/3 : (Contract n 3 [$ 1 ] (contract-company n 
($ 2/2 : Telecom-company)))))). 

This axiom states, roughly speaking, that a Business-Customer is a kind of Company 
that has an agreement where the contract is with a Telecom-company. 

As a result of this axiom, it is relatively easy to see that the query 

qi{x) <— Business-Customer(a:) 

is contained in the query 

q2{x) ^ agreement(a;, ?/i, 2/2) A Contract(?/i ) A Service(?/2) A 
contract-company(?/i, j/3) A Telecom-company(j/3) 

with respect to the DWQ schema S, written 5 |= gi C (72- 

The two queries can be transformed into the following (completed) canonical VCR 
ABoxes 

Aq^ = {3; -Business-Customer, x: Pa;} 

AI92 = { (3^1 2 / 1 ) 2/2) : agreement, yi :Contract, y2 :Service, 

(2/1 7 2/3) :contract-company, 2/3:Telecom-company|, 

where P^, is the representative concept for x. We can now compact and collapse Aq^ to 
give an ABox {x:Cq^}, where 

Cq^ = 3 [$1] (agreement n ($2/3 : P^J 13 ($3/3 : Py^) 3 ($2/3 : Contract) 3 

($3/3 : Service) 3 ($2/3 : (3 [$1] contract-company 3 ($2/2 : Py^) 3 

($ 2/2 : Telecom-company)))). 




340 



Ian Horrocks et al. 




Fig. 2. A fragment of the DWQ enterprise schema 



As each of the place-holders Py ^ , Py^ and Py^ occurs only once in the ABox, they can 
be replaced with T, and Cq^ can be simplihed to give 

C'^ = 3 [$1] (agreement n ($2/3 : Contract) □ ($3/3 : Service) □ 

($2/3 : (3 [$1] contract-company n ($2/2 : Telecom-company)))). 

We can now determine if the query containment S \= qi Q q 2 holds by testing 
the satishability of the KB {S, A), where A = {a;:Business-Customer, x:Px,x:^C'^^ }. 
Moreover, A can be compacted to give {x:C}, where C = Business-Customer □ □ 

~^Cq ^ , and the KB satisfiability problem can be decided by using FaCT to test the sat- 
isfiability of the concept a{C) w.r.t. the schema cr(5). Thus we have S q\ Q q 2 iff 
cr(C) is not satisfiable w.r.t. <t(5). 

The FaCT system is implemented in Common Lisp, and the tests were performed 
using Allegro CL Enterprise Edition 5.0 running under Red Hat Linux on a 450MHz 
Pentium 111 with 128Mb of RAM. Excluding the time taken to load the schema from 
disk (60ms), EaCT takes only 60ms to determine that cr(C') is not satishable w.r.t. cr(5). 
Moreover, if tr(5) is first classified (i.e., the subsumption partial ordering of all named 
concepts in <t( 5) is computed and cached), the time taken to determine the unsatis- 
hability is reduced to only 20ms. The classification procedure itself takes 3.5s (312 
satisfiability tests are performed at an average of «llms per satishability test), but this 
only needs to be done once for a given schema. 

Although the above example is relatively trivial, it still requires FaCT to perform 
quite complex reasoning, the result of which depends on the presence of VCTZ inter- 
schema constraint axioms; in the absence of such axioms (e.g., in the case of a single 
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EER schema), reasoning should be even more efficient. Of course deciding arbitrary 
query containment problems would, in general, require full ABox reasoning. However, 
the above tests still give a useful indication of the kind of performance that could be ex- 
pected: the algorithm for deciding STilQ ABox satisfiability presented [22] is similar 
to the algorithm implemented in EaCT, and as the number of individuals generated by 
the encoding of realistic query containment problems will be relatively small, extending 
EaCT to deal with such problems should not compromise the demonstrated empirical 
tractability. Moreover, given the kind of performance exhibited by EaCT, the limited 
amount of additional non-determinism that might be introduced as a result of cycles in 
the containing query would easily be manageable. 

The results presented here are also substantiate our claim that transforming T>CTZ 
satisfiability problems into STilQ leads to greatly improved empirical tractability with 
respect to the embedding technique described in Calvanese et al. [4]. During the DWQ 
project, attempts were made to classify the DWQ schema using a similar embedding 
in the less expressive STCIT logic [19] implemented in an earlier version of the EaCT 
system. These attempts were abandoned after several days of CPU time had been spent 
in an unsuccessful effort to solve a single satisfiability problem. This is in contrast to the 
3.5s taken by the new STilQ reasoner to perform the 312 satisfiability tests required to 
classify the whole schema. 

5 Discussion 

In this paper we have shown how the problem of query containment under constraints 
can be decided using a KB (schema plus ABox) satisfiability tester for the STilQ 
description logic, and we have indicated how a STilQ schema satisfiability testing 
algorithm can be extended to deal with an ABox. We have only talked about conjunctive 
queries, but extending the procedure to deal with disjunctions of conjunctive queries 
is straightforward. The procedure for verifying containment between disjunctions of 
conjunctive queries is not very different from the one described for simple conjunctive 
queries. The main difference is that, although each conjunctive part becomes an ABox 
(as described in Section 3.1), the object representing the whole disjunctive query is 
a set of alternative ABoxes. This results in one more non-deterministic step, whose 
complexity is determined by the number of disjuncts appearing in both queries. Full 
details can be found in [20]. 

Although there is some loss of expressive power with respect to the framework 
presented in [4] this seems to be acceptable when modelling classical relational infor- 
mation systems, where regular expressions are seldom used. 

As we have shown in Section 4, the EaCT implementation of the STilQ schema 
satisfiability algorithm works well with realistic problems, and given that the number 
of individuals generated by query containment problems will be relatively small, there 
is good reason to believe that a combination of the ABox encoding and the extended 
algorithm will lead to a practical decision procedure for query containment problems. 
Work is underway to test this hypothesis by extending the EaCT system to deal with 
STCIQ ABoxes. 
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Abstract. We define a generic control- flow sensitive static analysis, 
Static Reduction Analysis (SRA), for an untyped object-oriented lan- 
guage featuring side-effects and exceptions. While its aims and range of 
applications closely relate to Control Flow Analysis (CFA), SRA exhibits 
a distinguishing feature: it only deals with abstract syntax tree (AST) 
nodes and does not involve approximations of environments nor stores. 



1 Introduction 

Static analysis [9,11] is a collection of compile-time techniques to predict pro- 
gram properties and a prerequisite for many program transformations/compiler 
optimisations (e.g. dead code elimination, partial evaluation or parallelisation) 
and program verifications (e.g. array-bound checking, pointer analysis or model- 
checking). In a nutshell, a static analysis computes, given a program P and a 
program point p, a finite set S{p) of approximations of p such that if P has value 
V at p, then v G S{p) must hold. Knowledge about S{p) for each program point 
p of P is then used to perform transformations/ verifications on P. 

The main purpose of this paper is to report on a generic static analyser for an 
untyped, imperative object-oriented language featuring inheritance, overloading 
and exceptions. Our analyser presents four distinguishing features: 

— context-sensitive: most analyses are control-flow insensitive and assume that 
statements and calls may be executed in an arbritrary order. Such analy- 
ses lead to unecessarily coarse approximations. For example, a control-flow 
insensitive analysis for the program 



x=l ; x=2; 

simply merges all the possible values of x in the approximation and returns 
both values 1 and 2. We see this loss of precision as a weakness of existing 
analyses: 

• in a language like Java, variables are initialised by default [4, Section 
4.5.4]. These default values will always be included in approximations, 
yielding imprecise results. Indeed, the example Java program 
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class Point { 

int x; 

static void main (){ 

o = new Point 0 ; 

o . x=10 ; 

o.x; 

} 

} 

is approximated to {0,10}; 

• the loss of precision incurred by control-flow insensitivity is not accept- 
able for some applications, such as information flow analysis [19]. Indeed, 
consider a slightly modified version of our first example: 
x=secret; x=public; 

It is approximated by the set {public, secret} so that if x is deemed 
public, a context-flow insensitive analysis will reveal a possible informa- 
tion flow leak (a public variable is approximated by a secret variable) 
whereas one knows that the value of x is public. Further examples of the 
phenomenon may be found in [8] and include programs such as 

x=secret; x=6; 
x=y; y=x; 

where x is deemed public and y is deemed secret.^ 

— generic: in order to maintain a high-level of abstraction (and generality), 
method lookup is left unspecified and is relegated to an external lookup func- 
tion Lookup, which determines the method that is activated in a method call. 
Specific approaches to method lookup may then be recovered by choosing a 
suitable instantiation of the Lookup function. 

— parameterised: the quality of approximations, i.e. the size of S{p), is de- 
termined by an approximation function, and is dictated by applications. 
For example, static analyses used in compiler optimisations favour efficiency 
against precision, whereas static analyses used in program verification tend 
to give up efficiency for increased precision. Following [16], we account for the 
different uses of static analyses by parameterising our analysis over an ap- 
proximation function T . Specific analyses may then be recovered by choosing 
a suitable instantiation of the T function. 

— AST based: the salient feature of our analysis is to deal only with abstract 
syntax objects (AST nodes). The basic idea is to derive the analysis from an 
evaluator that handles bindings through a global store rather than through 
environments. Being AST based, Static Reduction Analysis does not require 
approximating new run-time values, such as environments; this is in strong 
contrast with /c-CFA and related analyses, see e.g. [7,10,16] for functional 
languages and [5,13] for object-oriented languages, which introduce complex 
notions such as contours. It makes SRA simpler than these analyses without 
compromising generality (we can recover the k-CFA analyses by taking suit- 
able instantiations of the approximation function) nor efficiency (the only 

^ Currently our analysis does not accept all the examples from [8] because we only 
compute arithmetic expressions when they appear in a comparison. 
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overheads of SRA, as compared to CFA, are those incurred by control-flow 
sensitivity). Again, this is in strong contrast with Set-Based Analysis, see 
e.g. [3,6], which trades generality for simplicity. 

The main purpose of this paper is to define Static Reduction Analysis for an 
object-oriented language. Its applications to program transformation, including 
partial evaluation, and program verification, including security, will be reported 
elsewhere. 

The remaining of the paper is organised as follows. In Section 2, we briefly 
review Static Reduction Analysis for A-calculus. In Section 3, we introduce the 
language Lioe and give the associated SRA rule. Section 4 introduces a family of 
approximations functions and compare their relative merits. Finally, we conclude 
in Section 5 with a brief description of a prototype implementation of SRA and 
directions for future work. 



2 Static Reduction Analysis for the A-Calculus 



The purpose of this section is to define SRA for a call-by-value A-calculus; most 
of the ideas originate from [14], where SRA is first introduced. For the clarity of 
the presentation, we first recall the traditional definition of evaluators based on 
environments and closures: 

\Xx.B\s =< Xx.B,e > (Abstraction) 

Ixje = e{x) (Variable) 

|F"@A]e = (Call in the extended environment) 

where iF’Je =< Xx.B,e' > (Getting a closure) 

Such evaluators allow to link values to expressions but introduce runtime objects, 
namely environments and closures, which need to be approximated [16]. An 
alternative for describing evaluators without introducing new runtime objects is 
to switch to a global store for handling bindings: 



|Aa;.R] = Xx.B 

IF@A1 = IB'I 

where |A] = Xx.B 
g = gensymO 
B' = B{x ^ g} 

bl = 1^1 



(Abstraction) 

(Call in global environment) 
(Function value) 

(A fresh variable) 
(a-conversion) 

(Variable definition) 



The last clause generates a new equation fixing the value of g in the global 
store. This procedure lets us emulate shallow binding and maintains a tight 
relationship between source and generated terms as the evaluator only performs 
an Qf-conversion between Xx.B and Xg.B' (we say that Xg.B' is a copy of Xx.B). 
While the latter evaluator may look rather unusual, it is a better starting point 
for static analyses. First, only AST objects need to be approximated. Second, 
approximations are simply obtained by merging multiple copies into a single one. 
These two facts largely contribute to the simplicity of the analysis. 
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In [14], the decision to merge or not multiple copies of a function is relegated 
to an external function T , called the approximation function. This yields a family 
of analyses including the fc-CFA analyses. Technically, T takes as argument an 
abstraction and a program point at which the abstraction is applied and returns 
another abstraction equal to an a-conversion of its second argument — we do not 
identify terms up to a-conversion and rather see bound variables as memory 
locations. The set 5(e) of a program point e is then defined as the least solution 
to the system of constraints generated by the rules: 

S{Xx.B) = {Xx.B} (Values of abstraction) 

S{F@A) = U . S(B[) (Values of call) 

where Xxt.Bi e S{F) (Each possible function) 

XxfB[ = iF(E@7l, Xxi-Bi) (Approximated functions) 
5(a;')25(A) (Values of variables) 

By taking appropriate instantiations for F, one obtains analyses of different 
precision: e.g. one may recover the evaluator by forcing F to make a fresh copy 
always, and one may recover the well-known 0-CFA analysis [16] by forcing F 
to return its second argument always. These results shall scale up to the Lioe- 
calculus, which we define below. 

3 Static Reduction Analysis for the Z^joe-Calculus 

3.1 The Imperative Object-Oriented Language Cioe 

The Cioe language is an untyped object-oriented language featuring method calls, 
assignments, control structures (conditionals and exceptions), pointer equality, 
arithmetic operations and comparison operators. Programs are defined as a list 
of classes, which are themselves described by their lists of fields and methods. 
Inheritance between classes is left abstract and given by a partial order < on 
Class. The full syntax of the language is described in Figure 1. Note that: 

— in order to simplify the presentation, methods are assumed to have at least 
one argument. To handle static methods without arguments, a dummy ar- 
gument must be added; 

— New expressions allocate a new object with explicit initial values. In an 
expression New{c.a*), the argument Oi provides the initial value for the 
field fi of the resulting object; 

— Vector expressions are declared with the vector length and an initial value 
that is shared by all cells; 

— there are no global variables (static variables in Java). However, static vari- 
ables can be emulated by introducing a specific class Global having a unique 
instance created at beginning of the program. This instance holds all the 
global variables and, to be accessed, must be given as first argument for all 
methods. All other Java’s modifiers are handled by the lookup function; 

— the this variable must appear explicitly as the first parameter of non-static 
methods (implicitly added in our examples); 
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— like in Java, Try expressions include a list of guards and introduce methods 
which may include free variables. These methods have a specific status during 
the copying process, see the end of Subsection 3.2, and may be used to 
emulate sequences, local variables and while loops. 

Evaluation is call- by- value and arguments are evaluated from left to right. The 
evaluator is derived as an instance of the analysis by taking as approximation 
function the function Tea which always makes a fresh copy of method calls. In 



Program 

Class 

Method 

Guard 

Expr 


= Glass* 

= Field* X Method* 

= Var* X Fxpr 
= Glass X Method 
= Union of types listed below 


Data 


= Z 




(integer) 


New 


= Glass X Fxpr* 




(object allocation with initial values) 


V ector 


= Fxpr X Fxpr 




(vector allocation with shared initial value) 


Op 


= Prim X Fxpr x 


Fxpr 


(arithmetic operation) 


Call 


= Method X Fxpr* 




(method invocation) 


GetVar 


= Var 




(variable) 


SetVar 


= Var X Fxpr 




(assignment) 


GetField 


= Fxpr X Field 




(read inside object) 


SetField 


= Fxpr X Field x 


Fxpr 


(write inside object) 


If 


= Fxpr X Fxpr x 


Fxpr 


(conditional) 


Gomp 


= Prim X Fxpr x 


Fxpr 


(arithmetic comparison) 


Fq 


= Fxpr X Fxpr 




(pointer equality) 


GetV ector 


= Fxpr X Fxpr 




(read inside vector) 


SetV ector 


— Fxpr X Fxpr x 


Fxpr 


(write inside vector) 


Length 


= Fxpr 




(length of vector) 


Throw 


= Fxpr 




(throwing an exception) 


Try 


= Fxpr X Guard* 




(catching an exception) 



Fig. 1. The language 



the sequel, we adopt the following useful conventions: 

— We let Cons(a.b) denote an element of a product type Cons = A x B and 
a* denote an element of a vector type A*. Moreover, we let ||a*|| denote the 
length of a*. For 1 < z < n, we let oz denote the z*^ element of a* and, if 
||a*|| yf 0 we let Tail{a*) denote the tail of a* . 

— The cardinal of a set A is denoted by ||A|j and its powerset is denoted by 

V{A). Moreover, relations or graphs on A are specified as functions f : A ^ 
V{A) and the transitive closure of /, /+ : ^ ^ is defined by the 

clauses: 



V G fi.x) ^ y€ f+{x) 
{y G /+(a;) A z G f{y)) ^ z G f+{x) 
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The inverse / ^ : A ^ of f : A ^ is defined by: 
f~Hy) = {xeA\y£ f{x)} 

— If c = Class{f* .m*) then Index{g,c) is the unique (if it exists) i such that 
h = 9- 



3.2 Static Reduction Rules for the Calculus 

Static Reduction Analysis assigns to each expression of a program a set of pos- 
sible values. Values are themselves expressions and can be numerals, arithmetic 
operations (viewed as Z constructors so as to ensure termination of the analy- 
sis), vectors or New objects. In other words. Static Reduction Analysis may be 
viewed as a function S : Expr \JVar ^ V {Value) with 

Value = Data U Op U Vector \J New 

Below we assume given: 

— a lookup function Lookup : Method, Value* Method for method resolu- 
tion; 

~ an approximation function T : Call, Met hod, Value* Method for decid- 
ing about method copying. 

Moreover, we assume given two specific boolean values true and false — e.g. they 
can be the unique instances of two classes True and False and thus true, false 
are included in New. 



Auxiliary functions The analysis relies on several auxiliary functions, which 
we describe below: 

— a function down T>, which returns the left leaf of an expression; 

— a function next Af, which approximates evaluation flow; 

— a function U, which approximates dynamic scope and the call graph. 



The down function T> : Expr Expr returns the left leaf of an expression. 



DATA,,: e € Data{n) 

GETVAR,^: 6 = GetVar{v) 

NEw„: e = New{c.a*) 

op„: e = Op{f.a.b) 



V{e) = e 
V{e) = e 

V{e) = if |ja*|| = 0 then e else V{ai) 
V{e) = V{a) 



The definition of T> on other expressions is straightforward and similar to 

OP„:. 
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The next function Af : {Expr U Method) V{Expr U Method) approximates 
evaluation flow. Intuitively, 62 G Af~^{ei) if the evaluator would have computed 
ei before computing 62 - Note that the definition of Af relies on the function A 
defined in Subsection 3.2, which approximates the arguments and corresponding 



methods activated on a call site. 




METHOO 


TO = Method{v* .b) 


Af{m) 9 T>(b) 


NEWyyj-: 


e = New{c.a*) A 1 < i < a* 


Af{ai) 9 'D(ai^i) 




e = New\e.a*) A a* > 0 


^ A/'(a||a»||) 9 e 




e = If{p.a.b) A true G S{p) 


Af{p) 9 T>{a) A Af{a) 9 e 




e = If lp.a.b) A false G 5(p) 


^ Af {p) 9 V{b) A Af{b) 9 e 


C A.LLjyy : 


e = Call{m.a*) A l<t<||a*|| 


Af{ai) 9 'D(ai^i) 




e = Call\m.a*) A to'.o* G A{e) 


^ A/'(a||a»||) 9 to' 




e = Call{m.a* ) A {v* .b) .o* G A{e) 


^ Af{b) 9 e 


OP^: 


e = Op(f.a.b) 


^ Af {a) 9 V{b) A Af{b) 9 e 



In all other cases, except Try, Af is a left-to-right traversal of the AST as in 
opj^:. The definition of Af for Try is deferred until the end of this subsection. 
There are several points worth noting: 



— methods are added to the domain and codomain of Af to highlight a method 
entry point; 

— conditionals may give rise to multiple evaluation flow paths: if S(p) = 
{true, false} then for e = If{p.a.b), Af~~^{e) = {a,b}. 

The up function U : {Expr\J Method) — > V{ExprU Method) approximates both 
dynamic scope and the call graph. As for the Af function, the definition of U 
relies on the function A defined in Subsection 3.2. 

METHOD^: TO = M ethod{v* A) ^ U{b) 5 m 

cALLy: e = Call{m.a*) A m! . 0 * G A(e) U{m') 3 e 

op„: e = Op{f.a.b) U{a) = U (b) = {e} 

In other cases, as in op„:, U is the inverse of the tree structure induced by 
the AST. 



Values In order to reflect the call-by-value evaluation strategy, the rules for S 
on values check whether their subterms may yield a value. E.g. if a or 6 has no 
possible value then Op(f.a.b) has no possible value either. 



DATA 5 : e = Data{n) 

NEWg; e = New{c.a*) A (Vi G [1, ||a* ||], S{ai)^%) 
VECTOR.^; 6 = V ector{ji.a) A S{n) yf 0 A S{a) yf 0 
op£: e = Op(f.a.b) A S{a) yf 0 A 5(6) yf 0 



5(e) 9 e 
5(e) 9 e 
5(e) 9 e 
5(e) 9 e 



Method call Since the dynamic types of the arguments can be found via 5, we 
can approximate the arguments and corresponding method activated on a call 
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site by the function A : Call V{Method x Values*) defined by the clause 
^(e) = {to'.o* |V1 < z < ||a* ||. Oi € S{ai) A m' = lF{e, Lookup{m,o*),o*)} 
if e = Call{m.a*). 

Note that the definition of A refiects the call-by-value strategy since we need 
at least one value for each argument. With A we can define S both on method 
calls and variables. 

cAi^Lg: e = Call{m.a*) A {v* .b) .o* G A{e) =A 5(ui)25(oi) (1 < z < ||a* ||) 
e = Call\m.a*) A \v* .b) .o* & Ai{e) => S{e)DS{b) 

The first rule transmits the values of arguments to formal parameters whereas 
the second rule transmits the values computed by the methods to the caller. 



Variables Variables are approximated by following Af~ ^ until reaching Method 
or SetVar nodes where their value has been initialised or modified. Upon reach- 
ing Method and SetVar nodes involving the variable to be approximated, the 
traversal is interrupted and, in particular, does not attempt to reach earlier 
Method and SetVar nodes involving v. In order to ensure termination of the 
analysis, the function SearchVar specifying the traversal admits an extra argu- 
ment that takes care of cycles in Af^^-paths by keeping track of the expressions 
that have already been inspected. 

GETVAR^: e = GetVar{v) ^ S{e)DSearchVar{v,e,^) 

where 

SearchVar{v,e,s) = if (e G s) then 0 

else if (e = Method(v*.b) A v G v*) then S(v) 
else if (e = SetVariv.a)) then S{a) 

else SearchVaraux{v,e,s) 

SearchVarauxiv, e, s) = Ue^eA/'-Re) SearchVar{v, Ci, s U {e}) 

Example 1. The approximation of a; in a; = 1; a: = 2 is 2. 



Pointer equality Our analysis does not provide enough information to ap- 
proximate pointer equality precisely. Indeed, approximations may only be used 
to detect inequality: if S{a) n5(6) = 0, then a and b cannot be physically equal. 
In other cases, i.e. when S{a) n S{b) yf 0, one cannot conclude. While most 
static analyses adopt such an imprecise viewpoint, there exists several dedicated 
alias analyses, see e.g. [15,18], which provide precise approximations of pointer 
equality. Here we opt for an intermediate approach by letting approximations 
for pointer equality depend on an auxiliary function (j>^, which acts as a (rudi- 
mentary) pointer analysis. 

EQs- e = Eq{a.b) S{e)DDecideEq{a,b) 

where 




352 Gilles Barthe and Bernard Paul Serpette 



Decide Eq{a,b) = if S(a) = 0 V S(b) — 0 then 0 

else if S(a) D S(b) — 0 then {false} 
else if S(a) = S(b) A ^=(a) then {true} 
else {true, false} 

There are multiple implementations of the function. The simple-minded 
approach referred above is to define d>^{x) = false. In order to enhance the pre- 
cision of the analysis, our prototype implementation of SRA (see Subsection 5.1) 
returns true for <?=(e) whenever 5(e) = {o} and there exists only one path start- 
ing from o and following U. Our choice for such a rudimentary implementation 
is motivated by the following facts: 

— the definition of is accurate enough to derive the evaluator as a specific 
instance of our analysis; 

— the definition of <P= is sufficient to illustrate how the choice of <P= influences 
the quality of approximations for field and vector access; 

— more sophisticated implementations of rely on techniques that are or- 
thogonal to SRA and beyond the scope of this paper. 

Example 2. The following example illustrates some of the subtleties involved 
with alias analysis. 

class T { 
static mainO { 

create 0 == create () 

} 

static create 0 { 
new T() ; 

> 

} 

The equality will be approximated to false whenever the approximation function 
produces two different copies for the two invocations of create; this essentially 
corresponds to fc-CFA for A: > 1. If the approximation function merges the two 
invocations of create in a single copy, as done by 0-CFA, then the equality is 
approximated to {true, false}. 

Example 3. The following example illustrates the usefulness of 

class T { 
static mainO { 
let o = new T() ; 
o == o ; 

> 

} 

Whereas standard analyses (setting <P^{x) = false) approximate pointer equal- 
ity by {true, false}, our approximation yields {true} since '^={o) holds. 
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Fields The rules for fields essentially follow the same pattern as those for vari- 
ables and use an auxiliary function SearchField to compute the approximations 
for field access. The function SearchField takes as arguments an object o and a 
field / of this object, an expression e providing the AST upon which the traver- 
sal is to be made, and an accumulator s to keep track of nodes that have been 
visited previously so as to prevent loops. SearchField specifies a traversal along 
Af'^-paths until reaching corresponding New or SetField nodes. Upon reaching 
such a node, say SetField{t.f.a), one checks whether o is a possible value of the 
target expression, i.e o £ S{t)] if so, then the new constraint 5(a)c5(e) is added. 
Then the search proceeds recursively. 

GETFiELDs: 6 = GetFicld{o . f) => ‘5(e)2Uoie5(o)nAfeu; SearchField{oi, f, e, 0) 

where 

SearchField{o, /, e, s) = 

if (e e s) then 0 

else if (e = SetField{t.f.a) A o e S{t)) then S{a) U SFcont(t, o, f, e, s) 

else if (e = o = New{c.a*)) then S{aindex(f,c)) U SFcont{o, o, f, e, s) 

else SearchF ieldaux (o, f,e,s) 



SFcont{t,o, f,e,s) = if ^=(t) then 0 

else SearchF ieldaux (o, /, e, s) 

SearchFieldaux{o, f, e, s) = Ue,6Ar-i(e) SearchField{o, f, a, s U {e}) 

Note that, unlike for variables, one cannot systematically stop the search at 
nodes SetField{t.f.a) satisfying o £ S{t) or at the creation node. 

Example 4- Here is a simple example demonstrating why the search needs to 
proceed beyond creation nodes. Here the approximation function is supposed 
not to make copies of create. 

class T { 
field x; 
static mainO { 

let ol = create(l); 
ol . X = 2 ; 

let o2 = create (3); 
ol .x; 

} 

static create (n) { 
new T (n) ; 

} 

> 

Beginning at ol.x, the only A/”~^-path reaches new T(n). If we stop the search 
here, then one would obtain 

5(ol . x) = 5(n) = {1,3} 
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which is incorrect: indeed the approximation is not conservative since ol .x eval- 
uates to 2 . 

Now let us show that our rules are correct. Since there is a Z^-fork from 
method create, we have to continue the search and can thus reach the ol ,x=2 
node. The approximation now becomes conservative: 

5(ol.x) = {1,2,3} 



Example 5. The following example illustrates how may be used to good ef- 
fect to improve the quality of approximations. If the approximation function 
duplicates the method create in the above example, the approximation of ol .x 
coincides with its approximation in the example below: 



class T { 
field x; 
mainO { 

let ol = createl(l); 
ol . X = 2 ; 

let o2 = create2(3); 
ol .x; 



createl(n) { 
new T(n) ; 



} 



create2(n) { 
new T(n) ; 

} 



} 



Beginning at ol .x, the only A/”“^-path bypasses the allocation done in create2 
(since this is not a value of ol) and reaches directly the ol .x = 2 node, yielding 
2 as a result. The search stops at this node since there is no U-iork starting from 
the method createl. 



Conditionals and arithmetic comparisons The rules for conditionals are 
straightforward: 

1 F 5 ; e = If{p.a.b) A true € S(p) S{e)DS{a) 

e = If lp.a.b) A false G S{p) 5(e)D5(6) 

Arithmetic comparisons are more subtle to handle. Since arithmetic oper- 
ations are not reduced by S, one needs to execute recursively all arithmetic 
operations pending before proceeding to the comparison. As for variables, ter- 
mination of the analysis is ensured by an auxiliary function which detects cycles 
in the above mentioned process. In case a cycle is detected, then the execution 
of arithmetic operations is aborted and both true and false are returned. 
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C0MP5: e = Comp(f.a.b) A a' G Collectia) A b' G Collectip) ^ <S(e) 9 Comp a' b' 

e = Comp[f.a.b) A CollectLoop[a) ^ S{e)D{true, false} 

e = Comp{f.a.b) A CollectLoopib) ^ S{e)D {true, false} 

where 

Collected) = {n\Data{n) G <S(d)}U 

{a' fb' I a' G Collectia) Ab' G Collect(b) A Opif.a.b) G Sid)} 
CollectLoopiop) = <S(op) 7^ 0 A CollectLoopiop,tl}) 

CollectLoopiop, s) = let op — Opif.a.b), s' = sU {op} in 

op G sV CollectLoopauxia, s') V CollectLoopaux{b, s') 
CollectLoopauxie,s) = \J (op=OpU-a.b))&s(e) CollectLoopiop, s) 

In the above rules, Collect computes recursively a set of integers by applying 
the suitable operations. We underline function symbols to denote their imple- 
mentation so that 3+2 is considered equal to 5. The function CollectLoop detects 
whether any loop arises in the process of computing the Collect operations. 



Vectors The rules for vectors follow the same pattern as for fields and use an 
auxiliary function SearchVector to compute approximations for vector access. 
The function SearchVector takes as arguments a vector a and an index n in 
this vector, an expression e providing the AST upon which the traversal is to 
be made, and an accumulator s to keep track of nodes that have been visited 
previously so as to prevent loops. SearchVector specifies a traversal along 
paths until reaching corresponding Vector or SetVector nodes. Upon reaching 
such a node, say SetVectorit.n' .b), one checks whether a is possible value of 
the target expression (i.e. a G Sit)) and whether n and n' may yield the same 
value (by using rules provided by arithmetic comparisons); if so, then the new 
constraint 5(o)c5(e) is added. Then the search proceeds recursively depending 
of the same kind of check used in fields rules. 

Finally, the rule for Length is straightforward: 

LENGTH^: 6 = Length{a) ‘5(e)DlJyeciorK,e,)e5(a) 



Exceptions Exceptions in our language, as in Lisp, ML, Java or C++, have 
a dynamic scope: an expression e = Try{a.g*) can only catch exceptions raised 
during the execution of a. We therefore need to approximate the dynamic scope 
of a; to this end, we use (ZJ+)~^(a) = (ZJ^^)+(a). Besides, exceptions may be 
analysed by two different methods: 

— starting from a Try, one might search for all the Throws in the evaluation 
flow. In this case, we start from an expression e = Try{a.g*) and follow Af 
from T>ia) until reaching a node Throwie'). However, Throwie') may lie 
outside of the dynamic scope of a and/or there may be another Try between 
e and Throwie') which catches the latter; 

— starting from a Throw, one might search for all the surrounding Trys. In this 
case, we start from an expression e = Throwia) and follow U until reaching 
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a node Try(e' .g*). However, several elements of Throw can reach the same 
Try whereas only one is really activated. 

In order to overcome the limitations of each method, the definition of S on 
exceptions uses both. More precisely, we start from a, Try statement and search 
all the Throw statements in the evaluation flow. When reaching such Throw 
statements, we go backfi to check whether we recover the original Try statement. 

e = Try{a.g*) A 5(a) / 0 => A/”(a) 9 e 

e = Try{a.g*) A t.{m = v* .b).o G SearchThrow{a, g*) => Af(t)Bm A Af(b)Be 
tr,y£; e = Try{a.g*) => 5(e)D5(a) 

e = Try{a.g*) A t.{m = v* .b).o G SearchThrow{a, g*) => 5(i>i) 9 o A S{e)DS(b) 

where 

SearchThrow(a,g*) = \Jt,<^Thro^r.(T>(a), 9 ),(o^^Ne^(c.a-))<^s{u)SBTry{g* ,U,Oj,c) 
Thrown(e, s) = if (e € s) then 0 

else if (W(e) = {Throw{e)}) then {e} 

else \J^,^j^^^.^Thrown{ei,sLI {e}) 

SBTry(g*,t,o,c) = {t.nik.o \ rrik G SearchTry{g* 

SearchTry{g* , c, e, s) = if {e G s) then 0 

else if (W(e) = {Try{e,g*)}) then Caught(g*,c) 
else if (W(e) = {Try{e,g'*)}) then 
if Caught{g'* ,c) = 0 
then SearchTry{g* , c,h({e)i, s U {e}) 
else 0 

else Ue,gM(e)'S'eacc/iTry( 3 *,c,ei,sU{e}) 

Caught{g*,c) = if g* = 0 then 0 

else if gi — c' .m A c < c' then {m} 

else Caught{Tail{g*),c) 

Note that: 

— SearchThrow{a.g*) returns a set of t.m.o where t is a thrown expression 
having a value o which is caught by the method m in g*; 

— the function T hr own finds all exceptions raised during the continuation (Af) 
of an expression. Af of the thrown expression is only defined when finding 
the corresponding guards; 

— SearchTry follows U until reaching a specific Try (given by its guards g*); 
observe that the predicate U{e) = {Try{e,g*)} is used to specify that we 
do not come from guards. SearchTry returns 0 when reaching a nested Try 
that has already caught the given exception value (given by its class c); 

— the function Caught simply verifies whether a list of guards can catch a 
specific class of exceptions. It is the only place where inheritance plays a role 
in the analysis (apart from the Lookup function, which we leave unspecified); 

— guards introduce local methods which, in order to ensure correctness, must 
always be copied when the surrounding method is copied. 
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4 Approximation Functions 

The quality and efficiency of SRA rely on the approximation function. The pur- 
pose of this section is to define some standard approximation functions and 
exemplify their behaviour on some small examples. 

4.1 Equivalence Classes of Expressions 

In order to be correct, approximation functions are required to return copies 
that are a-equi valent to the original method. In order to enforce such a require- 
ment, we are led to consider expressions up to a-conversion and to introduce 
the quotient set Expr of expressions up to a-conversion. Then one can define 

5 : Expr — > V {Value) by the clause 

‘5(c) = {T I u e S{e') Ae' Ge} 

The auxiliary functions Af and U can be merged the same way. Considering 
Expr and S is useful for a number of purposes: 

— comparisons between approximation functions may be formulated in terms 
of S. Formally, we define Ei < iff 

Ve G Expr. C 

— correct approximation functions are defined to be those functions T satisfy- 
ing E{e,m,o*) = Wi for every e, m and o* . The correctness of SRA is then 
expressed as Eoc, < E for all correct approximation functions E. 

— synthetic results. Most post-SRA analyses only require to know the possible 
values of the AST nodes of the original program. By considering S instead 
of S, it is possible to hide the AST nodes generated by the analysis. 

— termination criterion of SRA. Our analysis terminates if only a finite number 
of copies is performed. One means to ensure that only a finite number of 
copies is performed is to define approximation functions as injections whose 
domains is the set of equivalence classes of calls and methods in the original 
program. 

4.2 General Approximation Functions 

We have already seen that the approximation function is Eo{e,m, o*) = m for 
OCFA-like analysis, and E^a (e, m,o*) = Copy{m) for the evaluator. The purpose 
of this subsection is to illustrate the flexibility of our framework by defining 
several well-known approximation functions. 

ICFA is a well-known family of approximations where a method is copied at 
most one for each class of call site. It may be formalized as any injection ICE A : 
Call, Method Method such that lCEA{e,m) = m. Then the associated 
approximation function is Ei{e,m,o*) = ICE A{e,rn). Intuitively, E\ unrolls 
one stage of the ^Fg-call graph. 
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CFAn To unroll more than one stage, we have to choose between two direc- 
tions: breadth and depth. The first direction will allow n copies for a call 
site, and is captured by the CFAn functions. Those may be any injection 
CFAn : Call, Method Method^ such that nii G CF An{e,m) ml = m 
and mi,mj G CF An{e,m) A i ^ j ^ mi ^ mj. The approximation 
function must have a (fair) strategy to choose between the methods, so we 
assume the existence of a function ChooseBetween enforcing fairness and set 
lFbreadth{n){^i'm'jO*) = C hooseBetween{C F An{e,m)) . 

pCFA In order to capture unrolling, we use injections pCFA : Calf , Method 
Method. The first argument of pCFA, computed by a function CallStack, is 
the sequence of (the equivalence classes) of the p method call nodes on top of 
the stack approximation; note that we don’t collect a call node when we don’t 
come from a method body. If a stack has less than p call nodes, we can safely 
complete the sequence with an arbitrary call node. 

nCFAn We can combine both directions by considering injections of the form 
pCFAn : Calf , Method Method^ with 

lFp_„(e, TO, o*) = ChooseBetween{pCF An{CallStack{p,e),m)) 

While the iFp „ approximation functions allow to tune the precision of our anal- 
ysis, they also have a main defect: for p or n greater than 1, they unroll recursive 
calls, whereas such unrolling does not yield any refinement in the analysis. 

recCFA An alternative to the iFp „ functions is to merge methods only on recur- 
sion. This yields an approximation function 

Tr(e,m,o*) = if \\m* = SearchRec{m,e,tl))\\ > 0 then toi else Cache{e,m) 

where 

SearchRec{m, e, s) = if (e G s) then 0 

else if (e = to) then {to} 

else Ueiew(e) SearchRec{m, Cj, s U (ej) 

Here Cache is any injection Call, Method Method such that Cache{e,fn) = 
rh. This function ensures that only a finite number of copies is made under a 
specific call site and thereby guarantees termination. 

OOCFA An approximation function which is more accurate for object-oriented 
languages (single dispatch) will make copies for each different types of the target 
object 



lFoo{e,m,o*) = if (oi = New{c.a*)) then OOCF A{m,c) else m 
where OOCFA is any injection Method, Class Method such that 



OOCF A{m, c) = m 
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This approximation function yields an analysis that bears some similarities with 
Agesen’s Cartesian Product Algorithm (CPA) [1] . 

Example 6. In order to illustrate the differences between approximation func- 
tions, consider the (contrived) program: 

class hh { 

static mainO { 
f ()*f ()*f 0 ; 

} 

static f() { 

gO ; 

} 

static g() { 
h()+h()+h(); 

} 

static h() { 

iO; 

} 

static i() { 

1 ; 

} 



The behaviour of various approximation functions is displayed in Figure 2. 
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5 Concluding Remarks 

We have presented Static Reduction Analysis, a generic control-flow sensitive 
static analysis, for Lioe an untyped, object-oriented language with exceptions. 
The salient feature of our analysis is to be AST-based, and not to require ap- 
proximating run-time values such as environments. 

Our work is an effort to provide a middle-ground between general (but com- 
plex) analyses a la fc-CFA and simpler (but more speciflc) analyses d la Set-Based 
Analysis by allowing a simple definition of the analysis (the set AST nodes is the 
only domain) while allowing a parametrization of the analysis through approx- 
imation functions. The exact relationship between alternative proposals based 
on constrained types, see e.g. [17] remains to be unveiled. 

5.1 Implementation 

We have developed a prototype implementation of SRA in LISP. The prototype, 
which includes a graphical user interface, represents 3000 lines of code, including 
500 lines for the SRA rules presented in this paper (in fact the implementation 
also deals with static methods without argument by adding a dummy argument, 
called hook, to method calls) and 100 lines for the different approximation func- 
tions. 

The prototype supports all the functionalities described in this article (choice 
of the lookup function, choice of the approximation function), and also allows 
to preview the call-graphs (as PostScript flies) of method calls in approximated 
programs. Thus far, the implementation has only been tested on small programs 
and no special provision has been made for efficiency. Further work is needed to 
achieve acceptable performance for large programs. 

5.2 Future Work 

We intend to pursue this work in two directions: first, we would like to establish 
formally the correctness of SRA and clarify its relationship with alternative 
proposals for polyvariant flow analysis, see e.g. [10,12,17]. Second, we would like 
to investigate applications of SRA, including partial evaluation and information 
flow. 

In a different line of work, we are interested in adapting Static Reduction 
Analysis to the Java Card Virtual Machine as formalised in [2]. 

Acknowledgments We would like to thank the anonymous referees for suggesting 
improvements to the paper. 
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Abstract. In this paper we define a semantic foundation for an ab- 
stract interpretation approach to universal termination and we develop 
a new abstract domain useful for termination analysis. Based on this ap- 
proximation we define a method which is able to detect classes of goals 
which universally terminate (with a fair selection rule). We also define a 
method which is able to characterize classes of programs and goals for 
which depth-first search is fair. 



Keywords: Abstract interpretation, Logic programming, Infinite derivations. Universal 
termination. 

1 Introduction 

A lot of techniques have been proposed to approach various kinds of termi- 
nation problems for logic programs (see [22] for a detailed survey). For logic 
programs there exist basically two notions of termination: universal termination 
and existential termination. In this paper we will be concerned with universal 
termination only. 

The existing results on termination are either automatic methods for detect- 
ing non-termination or more theoretical approaches, providing manually verifi- 
able criteria for non-termination. In particular, there exist correct and complete 
methods to prove universal termination (see, for example, [2]). Since termination 
is known to be undecidable, such methods are not effective. On the other hand, 
there are techniques providing sufficient decidable conditions. For example, to 
prove that a logic program terminates for a given goal it is sufficient to prove 
a strict decrease in some measure over a well founded domain on the sequence 
of procedure calls. Most of the termination analyses apply this approach but 
focus on different aspects on proving termination of programs. Several papers 
[23,10,38] tackle the problem of inferring norms and well founded orders. Other 
[45,38,11,43,7] define techniques for computing inter-argument relations. The 
analysis in [34] shows how to infer classes of terminating queries using approx- 
imations on Natural and on Boolean constraint domains. Based on this ideas, 
several systems for automatic termination analyses have been proposed, such as 
TermiWeb [13], TermiLog [30], cTI [35] and Mercury’s termination analyzer [42]. 

M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 362—380, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 




An Abstract Interpretation Approach to Termination of Logic Programs 363 



These systems are very powerful and are able to automatically prove that classes 
of goals (for example, all the goals whose arguments are ground) do universally 
terminate. Of course these systems are not able to analyze all the programs. For 
example, since these systems are based on approximations on domains of sym- 
bolic norms, they have some problem in analyzing programs, where termination 
depends on the structure of terms. 

Example 1. By using the systems in [30,35] we were not able to prove that the 
following program [31] always terminates. 

Pi : at(telaviv, mary ) 
at ( j erus alem, mary ) 
at(x,fido) <— at(x, mary), near (x) 
near(j erus alem) 

Example 2. Consider now the program Pz- 

?2 : p(a,b) 

p(a,f(x)) <- p(a,x) 
q(f(x),y) <- p(x,y) 

The analyses in [30,35] tells us that the query p(f(b), y) terminates if y is bound, 
e.g. finite and ground. Note however that p(f(b),y) does universally terminate 
for any y. 

Since automatic verification of termination must be based on some notion of 
approximation, it seems reasonable to tackle the problem by abstract interpre- 
tation techniques. Abstract interpretation techniques have already been used for 
validating termination analysis methods [45,31,14]. Moreover, [14] shows that 
the semantics in [24] is suitable to deal with termination and that some norm- 
based methods can be viewed as abstractions of this semantics. We want to push 
forward this approach, by explicitly using abstract interpretation to systemat- 
ically derive the ’’right” semantics to model termination and various effective 
abstractions modelling different abstract properties. In addition, abstract inter- 
pretation provides techniques to systematically combine different analyses in a 
powerful automatic system. As a matter of fact, we believe that most of the 
existing automatic methods [44,38,32,45,34] can be reconstructed as abstract in- 
terpretations of the “termination semantics” on suitable abstract domains. Such 
a reconstruction would allow one to easily combine the existing techniques and to 
extend them with new analyses based on new abstract domains, thus improving 
the precision of the approximate analysis. 

The main contributions of this paper are the definition of a semantic foun- 
dation for the abstract interpretation approach to universal termination and the 
development of a new abstract domain, which leads to an analysis which solves 
the problem shown in Examples 1 and 2. The abstract domain is a variation of 
the well-known depth-k abstraction. The resulting approximate analysis often 
devises classes of (terminating) goals which are smaller than the ones one would 
obtain using the systems in [30,35,13,42] or in general with methods based on 
inter-argument relations (see [22] for a detailed survey). However, the approxi- 
mation on the structure of terms can be improved by increasing the k in the ab- 
straction. Hence, for example, in program Pi it is sufficient to choose k = 2, to be 
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able to prove that the goal at(x,"y ) will always terminate and in P 2 it is sufficient 
to choose k = 3 to show that the goals p(f(b),x),p(b,x),p(f(b),x),p(f(f(.)),x) 
always terminate. In particular, we can prove an interesting result (see Corollary 
1), showing that for any goal which does universally terminate, by increasing k 
we will eventually be able to prove it. As a final remark, we want to stress that 
the idea behind our analysis is that such an analysis should be combined with 
the existing ones, to improve the overall precision. 

In order to reason on termination by using abstract interpretation, the first 
step is to define a suitable concrete semantics. Section 2 explains which proper- 
ties such semantics has to enjoy and why the previously defined semantics are 
not suitable to our purposes. Section 3 introduces an adequate semantics (exact 
answers) which is able to model infinite derivations in a compositional way. This 
semantics is then used to derive computable approximations of non-terminating 
computations and effective conditions to reason about termination. Section 4 
defines the depth-k abstraction, which yields an approximation of exact answers 
and therefore of the set of goals having at least one infinite derivation. This 
approximation is used for a termination analysis which is able to detect classes 
of goals which universally terminate (Section 5). Finally, in Section 6, the ap- 
proximation is used for detecting a class of goals for which the depth-first search 
rule is fair. 



2 Which Semantics for Infinite Derivations 

Since we can not reason about possibly non-terminating computations without 
taking into account the infinite behavior of goals, we start by providing a se- 
mantics which faithfully models this observable. Moreover, in order to apply the 
abstract interpretation framework, we look for a semantics which is obtained 
as a fixpoint of a suitable operator. Furthermore, to reason in a modular way, 
we need this semantics to be compositional w.r.t. the syntactic operators. In 
particular, we want the semantics to be AND-compositional, i.e. we want to be 
able to infer the infinite behavior of a conjunctive goal by using the informa- 
tion on the infinite behavior of atomic goals only. These requirements have some 
consequences. First of all information about successful computations has to be 
collected. In fact, a conjunctive goal has an infinite computation (via a fair se- 
lection rule) if at least one of the atoms in the goal has an infinite computation 
and all the other atoms are successful. Moreover we also have to faithfully model 
answers of infinite and successful derivations. In fact, this allows us to under- 
stand whether a conjunctive goal has an infinite derivation or a finite failure due 
to the computation of incompatible substitutions. Following the terminology of 
[21], we aim at modelling exact answers, i.e. the set of substitutions computed 
by successful or non-terminating derivations. 

Unfortunately all the semantics defined so far for modeling the infinite behav- 
ior are not adequate to our needs. For example, the semantics in [33,36,25,40,28] 
do not model exact answers, but their downward closure. The semantics in [29] 
is able to model many aspects of Prolog computations as well as the infinite 
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behavior. However it is not able to model exact answers of infinite derivations. 
On the other hand, [21,37] introduce a categorical approach that allows them to 
model exact answers as the colimit of the tu-chain consisting of the iterates of 
a functor F. Anyway, this construction seems quite hard to fit into the abstract 
interpretation framework. 

Intuitively, the main difficulty in modeling exact answers is due to the choice 
of a suitable domain. If the domain is too abstract, in a sense, we are not able to 
exclude instances of the exact answers from the computation of the fixpoint. Our 
intuition is that without any information on the number of steps necessary to 
compute a substitution, a greatest fixpoint semantics would deliver as answers 
instances of substitutions for non-terminating derivations, which would never be 
computed. 

Our semantics models exact answers and is defined as the greatest fixpoint 
of a co-continuous operator on a quite simple domain (the order is the pointwise 
extension of subset inclusion). Clearly, this semantics is not effectively com- 
putable. Hence we can not use it as the base for the effective conditions we are 
looking for. Anyway, by following the usual approach of abstract interpretation, 
we use it as the collecting semantics to build more abstract approximate yet 
effective semantics. It is worth noting that our construction allows us to define 
approximate semantics which still distinguish between the results of successful 
and infinite computations, which is not the case for most of ad-hoc semantics 
proposed in the literature [33,36,25,40,21]. 

3 A Fixpoint Semantics Modeling Exact Answers 

The reader is assumed to be familiar with the terminology and the basic results 
in the semantics of logic programs [1,33] and with the theory of abstract interpre- 
tation as presented in [18,19]. In the following x,x^ ,xz, ■ ■ ■ ,V,V^ ,Vz, ■ ■ ■ denote 
variables, while by x and t tuples of distinct variables and of terms respectively, 
B and G denote (possible empty) conjunctions of atoms. 

We want to define a semantics which models exact answers of infinite and 
successful derivations via a fair selection rule (the parallel selection rule ^). 

An important step is the choice of a domain which is able to precisely rep- 
resent the behaviors we are interested in. In particular, the domain has to be 
able to represent finite and infinite substitutions computed by non-terminating 
computations. A natural choice is to use sequences of substitutions to represent 
possibly infinite substitutions. Given the goal G, we consider the sets of (pos- 
sibly infinite) sequences -Oi :: dz " ... " • 8 m "... of substitutions, increasingly 
more instantiated (Vi G-Ot < G-Ot+i) representing the sequence of partial sub- 
stitutions computed at each step by successful and infinite derivations for G. 
In particular, an infinite sequence -Oi :: -82 " • • • " 8 m "... represents the se- 
quence of partial substitutions computed by an infinite derivation, while a finite 

^ Let G = Ai , . . . , An. The parallel selection rule R, selects at the first step, some Aj . 
Then, in the next step it will select the atom Aj + i (of the goal G) up to An, then 
it will select Ai and so on. 
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sequence -Oi :: dz ::-&n represents the finite sequence of partial substitutions 
computed by a successful derivation. 

Example 3. Consider the following program P3 

P3 : p(x) <- p(x) 
q(f(x)) <- q(x) 
q(a) 

The substitution computed by the infinite derivation for p(x) may be repre- 
sented by the infinite sequence x/xi :: x/xj " x/x^ :: . . ., while the substitution 
computed by the infinite derivations for q(x) may be represented by the infinite 

sequence x/f(xi) :: x/f(f(x2)) x/i'^ixn) :: Finally, the substitutions 

computed by the successful derivations for q(x) may be represented by the fi- 
nite sequences x/a, x/f(xi) :: x/f(a), x/f(xi) :: x/f(f(x2)) " x/f(f(a)), 
x/^(x ^ ) :: x/f(f(x2)) :: x/f(f(f(x3))) :: x/f(f(f(a))), . . . 

It is worth noting that this approach is already sufficient to avoid the difficulties 
of other approaches, which generally consider much more abstract domains made 
up of simple substitutions. The information on the number of steps needed to 
compute a substitution implicitly contained in our sequences is necessary to 
obtain a semantics modelling exact answers. Consider the previous example, 
with the substitutions (x/f(t)}, where t is any term, as possible substitutions 
computed for p(x). It is easy to see that there is no way of not including the 
substitutions (x/f(t)} in the computation of a greatest fixpoint semantics for 
p(x), even if actually (x/f(t)} is not a substitution computed by any successful 
or infinite derivation in P, for any t. Indeed, this is not the case in our approach 
as shown by the following examples. 

Once this choice is made, a second problem arises with And-compositionality. 
In fact, it seems not possible to achieve And-compositionality without any infor- 
mation on the clauses used in the derivation. This is because the substitutions 
for a conjunctive goal, computed at a given step, depend on the selected atom. 
Since the selection rule we consider is the parallel selection rule (note however 
that the same problem would arise with any non local rule), the substitution 
computed at a given rewriting step depends on the form of the current goal 
in the concrete derivation and on the previously selected atoms. However, we 
do not have all this information in our abstract domain unless we consider the 
concrete derivation itself. 

In order to solve this problem, we consider sequences of substitutions com- 
puted at specific steps of the rewriting process. These specific steps allow us to 
compose sequences of substitutions without any additional information on the 
concrete derivation they come from. 

Let d = G^Gi ^G2^..., bea derivation of G via the parallel selection 
rule. Let ni = Iength.(G) be the number of steps necessary for all the atoms in 
G to be selected exactly once Let Gi be the goal at step ni . nz is the number 
of steps necessary for all the atoms in Gi to be selected (Iength.(Gi )). Then G2 
is the goal at step ni -|- nz, and n3 is the number of steps necessary for all of its 

^ lengthf Ai , . . . , Am) = m 
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atoms to be selected and so on. We can single out a sequence of intermediate steps 
rii , ri2, . . . of the derivation d for a goal G. This sequence can be formally defined 
by the recursive definition, m = length,(G), rii+i = length,(G^ . nk)- Our 
idea is to use this sequence of steps to refine our sequence of substitutions. We 
consider then sequences of substitutions Cim '^i "nz ^2 '®m 

(G-8i < G-Oi+i ), labelled by step numbers, where -Oj is the substitution (restricted 
to the variables of G) computed by the derivation up to step This 

choice is crucial to obtain an And-compositional fixpoint semantics modeling 
exact answers. 

Thus, let S be the powerset of the set of finite and infinite sequences of 
substitutions "n, -81 r.nz '^2 "ni • • • "Tim " • • •> Ordered by set inclusion. Let 
Goals be the set of all goals in the program P. Our domain is Ai^if C [Goals — " S], 
i.e. the domain of all the partial functions ordered by C, the pointwise extension 
of the order in S. , C) is clearly a complete lattice. 

Since we need to And-compose sequences of different lengths, we introduce a 
notion of completed version of a sequence w.r.t. a given length n (where possibly 
n = tu). 

Definition 1. si G S is the completed version w.r.t. n of a sequence Sz € S, 

$2 ="TLl "... "Tim ^Ta; ^ ^ ^ and S'] = $2 "0 ^Ta "0 "^Ta "0 • • • 

'' v 

TL— m 

Our semantic operator T[[P]] : Ai^if ^ Ai^if is defined as follows. For each 
generic atomic goal p(x) we compute the new set of exact answers by consider- 
ing each clauses in P defining the procedure p and each exact answer (according 
to the interpretation I G Ai^if) for the conjunctive goal, body of the clause. 
For each clause p(t) <— pi (ti ), . . . .Pnltn) (renamed version w.r.t. x of a clause 
defining p in P), we obtain a new exact answer for p(x) whose first substitu- 
tion is -8 = mgu(p(x),p(t)) and the following sequence is the composition of 8 
with the substitutions forming a possible exact answer for the conjunctive goal 
Pi (ti ), . . . ,Pn(tTi) according to I. It is worth noting that a possible exact an- 
swer for the conjunctive goal pi (ti ), . . . ,Pn(tTi) according to I is computed by 
And-composing and composing w.r.t. instantiation the exact answers (found in 
I) for the atomic generic goals Pj (Xj ), j = 1 , . . . , n. 

Definition 2. Let I G Aii^f . T[[P]]I = 

Ap(x).{<"l 8 8l . . . "Tim ^Ta • • • > |3p(t) <— B a renamed version w.r.t. x 

of a clause inP, B = pi (ti , Pnltn), 

8 :={x/t}, for] = 1, ...,n,Sj G I(pj(Xj)), 

<:• 1 8i "... :• 1 8 m ::...> is the completed 

TL^ I TLtti 

version w.r.t. w = maxj=y...,Ti(l-ength.(sj )) 
of the sequence Sj, for h. = 1 . . . w, nn = 

8h = 8 • mgu(B, (pi (xi )8 ^, . . . ,Pn(Xn)8j(^))|x} 

Theorem 1. [27] T[[P]] is monotone and co-continuous on Ai^if . 

We define the fixpoint semantics of P as gfp(T[[P]]) = glb({ T[[P]] J, i | i < 
o)}) = rii<cu J’ttP]] J, f, where T[[P]] J, i are the usual ordinal powers. 
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Example 4 - 

P4: q(a)<-p(x) 
p(f(x)) <- p(x) 

5’[[P4]] J. 0 = (q(x)) = { s I s is a sequence } 

5’[[P4]] J. 0 = (p(x)) = { s I s is a sequence } 

5’[[P4 ]] j. 1 q(x) = { s I s is a sequence starting with "1 x/a} 

5’[[P4 ]] j. 1 p(x) = { s I s is a sequence starting with "1 (x/f(xi)} } 

5’[[P4]] j, 2 q(x) = { s I s is a sequence starting with "1 {x/a} "1 {x/a} } 
5’[[P4]] j, 2 p(x) = { s I s is a sequence starting with 

"1 (x/f(xi)}::i (x/f(f(x2))}} 



gfp(?[[P4]]) q(x) = {<"1 [x/a] "1 ... "1 {x/a} "1 ... >} 

gfp(?[[P4]]) p(x) ={<"1 {x/f(xi)}::i (x/f(f(x2))} "1 ..."1 (x/f’^(xn)} " . . . >} 

P5 : q(x) <- q(f(x)) 
p(f(x))) <- q(x) 

gfp(?[[P5]]) q(x) = {<"1 {x/x^} "1 ... "1 (x/xn) "1 ... >} 
gfp(?[[P5]])p(x) ={<"1 (x/f(xi)}::i . . . "1 (x/f (xn)} "1 . . . >} 

Pg : t(a) <- p(x,p), q(x,p) 

q(f(f(Tj)),f(Tj)) <- qiflh),!)) 

P(f(Tj),f(Tj)) <- pItJ-TJ) 
p(a, a) 

gfp(3’[[P6]])t(x) ={} 
gfp(?[[P6]]) q(x,p) = 

(<::i (x/f(f(xi)),p/f(xi)} "1 ... "1 {x/i^+\xn),y/i^(xn)} . . . >} 
gfp(?[[P6]]) p(x,p) ={<"1 {x/a,y/a}>, 

<::i (x/f(xi),p/f(xi)} "1 (x/f(a),p/f(a))}>,... 

<::i (x/f(xi),p/f(xi)} "1 ... "1 (x/f’^(xn),p/f’^(xn)}... >} 

P7 : even(s(s(x))) <— even(x). 
even(O) 

gfp(?[[P7]]) even(x) = {<"1 (x/O) >, <"1 (x/s(s(xi ))} "1 (x/s(s(0))} >, . . . 

<::i (x/s(s(xi ))} "1 (x/s(s(s(s(x2))))} "1 ... "1 (x/s2’^(xn)} . . . >} 

The derivation of the above fixpoint semantics deserves some interest by 
itself. In fact, we have systematically derived it by using abstract interpretation 
techniques, starting from a very concrete semantics introduced in [26], which 
extends with infinite SLD fair derivations the semantics in [16], we have defined 
a Galois insertion which does not lose any information on exact answers. It turns 
out that the abstraction is precise (complete): gfp(lP[[P]]) faithfully models the 
exact answers of infinite and successful derivations. Moreover the semantics is 
fully abstract as stated by the following theorem. 

Theorem 2. [ 27 ] Let G he a goal. gfp(lP[[P]]) = gfp(T[[Q]]) ijf every goal G has 
the same answers computed by infinite or successful derivations in the program 
P and in the program Q. 
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The semantics is compositional w.r.t. instantiation and And- composition of 
atoms. That is, the behavior of p(t) can be inferred from the behaviors of a 
generic atom p(x), and we can infer the behavior of conjunctive goals from the 
information on the exact answers of atomic goals only. For a detailed definition 
of these operations see [ 27 ]. 



4 Approximate Semantics 

Our fixpoint semantics is not effective, since it deals with infinite sequences of 
substitutions and needs to compute a greatest fixpoint. Hence, in this section, 
we introduce an effective approximation of gfp(T[[P]]). 



4.1 The Depth-k Domain 

The idea is to approximate an infinite set of exact answers by means of a 
depth(k) cut [ 41 ]. Terms are cut by replacing each sub-term rooted at depth k 
with a new fresh variable taken from a set W (disjoint from the set of program 
variables V). A depth(k) term represents a set of terms, obtained by instantiat- 
ing the variables of W with any term built over V. 

These operations define a function ock on terms. We can extend ock to substi- 
tutions to obtain abstract substitutions of the form ak(-8) = (x/(Xk(t) | x/t G -O}. 
We assume that, for any binding in -8, cuts are performed by using distinct vari- 
ables of W. We denote by Substk the set of substitutions V ^ Tk, where Tk is 
the set of depth(k) terms. 



4.2 The Abstraction 

In order to make the approximation effectively computable, we have to get rid of 
the information on the number of steps and on the partial substitution computed 
at step nr. The idea is to abstract a sequence of substitutions Cim '8i "m ■82 " 
. . . -8^ ::...> for G with the abstract substitution ak(-8s), where Vv > s, 

‘Xk('8s) = 0Ck('8v)- It follows from bounded depth of terms in the depth(k) domain 
that such an s always exists. Moreover, since we have lost all the information 
about the number of steps, we have to find some way to distinguish between 
successful and infinite derivations. To this aim, we use the two symbols □ and 
0 . 

Let 5 “ be the domain of sets of pairs < 8,0 >, where 8 G Substk and 
o G {□,<)}, ordered by set inclusion. Consider now the abstract domain A“ C 
[Goals — ^ 5 “], the domain of all the partial functions ordered by the point- 
wise extension of the order in 5 “. (A“, is a complete lattice. 

The abstraction cx^ : Aii^f A“ and the concretization : A“ Aii^f are 
defined as follows. 
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oc’^(I) := AG.{< ak(-8h), □ > I t =<::ni '^i "nz ^2 " ■ ■ ■ -Om " • • • >G 1(G), 

t is a finite sequence and 

V V > H, (Xk(^h) = ock(^v)}U 

{< ak(-8h),0 > I t =<::ni '^i "m ^2 '■'■■■ ■ "um 1(G), 

t is an infinite sequence and 

V V > H, ock(^h) = ock(^v)} 

^k(ia) _ 

AG.{ s =<::ni '^i " • • • '®m |s is a finite sequence and 

< -8, □ >G I“(G) and 3 H, 8 = ock(8h) and 

V V > H, ock(8h) = ock(8v)}U 

{ s =<::ni ■^i " • • • "rim ■®ra " . . . > |s is an infinite sequence and 

< 8, 0 >G I“(G) and 3 H, 8 = ock(8h) and 

V V > H, ock(8h) = ock(8v)} 

Lemma 1. : (AiTif,C) ^ (A“,C) is a Galois insertion. 

Following the abstract interpretation theory, we can derive the optimal ab- 
straction 1P“[[P]] : A“ ^ A“ of 1P[[P]] on the abstract domain A“, defined as 
ock • 1P[[P]] -Tk- 



Definition 3. Let I G A“. 1P“[[P]]I = 

Ap(x). {< 0 Ck( 8 ), □ > |3p(t) (— B o renamed version w.r.t. x 
of a clause in P, B = pi (ti ), . . . , Pn(tn), 

8 ':={x/t}, 3<8i,D>Gl(pj(Xj)) 

8 = 8 '- mgu(B, (pi (xi ) 8 \ . . . ,Pn(Xn) 8 ’^))|x)U 
{< (Xk(8),0 > |3p(t) <— B a renamed version w.r.t. x 

of a clause inV, B = pi (ti ), . . . , Pn(tn), ti > 0, 
and 8 ' := {x/t},3j G (1, . . ._,n}, < 8’,0 >G I(p-(x-)) 
and for] G{1,...,n}, ] j 
there exist < 8 \ o >G I(pj (Xj )), oG {<),□}, 

8 = 8 '- mgu(B, (pi (xi ) 8 \ . . . ,p| (Xj) 8 b . . . ,Pn(Xn)^’^))|x) 

The semantics of P is the greatest fixpoint of the T“[[P]] operator, which is 
monotone on the finite domain A)^^ . 

Of course, our approximation gfp)?" precision w.r.t. the con- 
crete semantics gfp(lP[[P]]). However, it still distinguishes between exact answers 
of successful and infinite derivations, i.e. the abstract operator does not necessar- 
ily compute the same answers for successful and infinite derivations, as shown by 
the results for programs Pg and P 7 in the following example. As we have already 
pointed out, this is not the case for most of the concrete semantics proposed to 
model infinite computations [33,36,25,40,21]. 



Example 5. Consider the programs in Example 4. Let w, wi , w >2 G W and let 
k = 3. 




An Abstract Interpretation Approach to Termination of Logic Programs 371 



KM (T“) (qW) = {<{x/a},D>, <{x/a},0>} 

KHP 4 ]] (T“)(p(x)) = { < Wf(a)}, □ >, < {x/f(xi )}, □ >, 

< (w))}, □ >, < {x/f (a)}, 0 >, < {x/f(xi )}, 0 >, 

.<{x/f(f(w))},0>, } 

gfp(3’“[[P4]]) (q(x)) ={ < (x/a},n >, <{x/a},0>} 
qMKM]) (pW)={<{x/f(f(w))},D>, <{x/f(f(w))},0>} 

gfp(3’“[[P5]] )(q(x)) = { < (x/a},n >, < (x/f(a)},n >, < (x/xi},n >, 

< {x/f (xi )}, □ >, < (x/f (f(w))}, □ >, < {x/a}, 0 >, 

< (x/f(a)},0 >,< (x/xi), 0 >, < (x/f(xi)},0 >, 
<{x/f(f(w))},0>} 

gfp(3’“[[P5]] )(p(x)) = { < {x/f(a)}, □ >, < (x/f(xi )}, □ >, 

< {x/f (f(w))}, □ >, < (x/f(a)}, 0 >, < (x/f (xi )}, 0 >, 
<{x/f(f(w))},0>} 

gfp(3’“[[P6]])(t(x)) ={< (x/a},n >,< (x/a},0 >} 
gfp(3’“[[P6]])(q(x,p)) ={< {x/f(f(wi)),p/f(f(w2))},n >, 

< (x/f(f(wi 0 >} 

gfp(3’“[[P6]])(p(x,p)) ={< {x/a,p/a}, □ >,<{x/f(a),p/f(a)}, □ >, 

< (x/f(f(wi )),p/f(f(W2))}, □ > 

< (x/f(f(wi)),p/f(f(w2))},0 >} 

gfp(?f [[P7]]) even(x) = {< (x/O), □ >, < (x/s(s(w))}, □ >< (x/s(s(w))}, 0 >} 



The abstract fixpoint semantics gfp(T“[[P]]) correctly approximates gfp(T[[P]]), 
i.e, for every p(x), gfp(lP[[P]]) (p(x)) C Y'^(gfp(lP“[[P]])) (p(x)) and is finitely 
computable. 

Theorem 3. [27] //p(x) has an infinite or successful derivation in P, computing 
the sequence of substitutions s, then, for any k, s G Y'^(gfp(lP“[[P]]))(p(x)). 

It is important to note that the abstract semantics is still compositional 
w.r.t. instantiation and And-composition. For a detailed definition of these ab- 
stract operations see [27]. 

We can use the information in gfp(lP“[[P]]) to give a correct upward approx- 
imation of the sets of goals which have at least an infinite derivation in P. By 
Theorem 3 and the results on compositionality, we can define the set Infp. 

Definition 4. Let 

Inf]5 ={G I G_ = Pi (ti pn(tn), 

3iG n}, < at,0 >G gfp(T^[[P]])(Pi(X|))} and 

for i = (1, . . . ,n}, 3 < CTi,o >g gfp(T^[[P]])(pi(Xi)) such that 

G and Pi (xi )oi , . . . , pTi(xTi)o'n are unifi able} 



As a consequence of the correctness of the approximation gfp(T“[[P]]), (Theorem 
3), we can prove the following theorem. 
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Theorem 4. If the goal G has an infinite derivation in P (via a fair selection 
rule), then, for all k, G G Infp. 

The following result tells us that, by increasing k, we get more precise results. 

Theorem 5. [27] If the goal G does not have an infinite derivation in the 
program P (via a fair selection rule), then there exists a k, such that Vk > k, 

G (f Inf|. 

Let us now spend a few words on the complexity of the computation of the fix- 
point abstract semantics on which the termination analysis is based. The size of 
a depth-k term is bounded exponentially by k, where k is given and does not 
depend on the particular program. The complexity of the abstract unification is 
the same as the one of concrete unification, i.e. linear on the term sizes. Since 
the size of the depth-k terms is bounded, the complexity of the abstract unifi- 
cation is bounded exponentially by k. Let us now analyze the complexity of the 
computation of the abstract semantics. We want to find a bound for the number 
of iterations of the abstract fixpoint operator necessary to compute the abstract 
semantics. It is worth noting that the number of the different depth-k terms on 
the depth-k domain is bounded exponentially by k. Again, k is a given constant 
and does not depend on the particular program. Therefore, the number of itera- 
tions of the abstract fixpoint operator is exponential in k in the worst case. It is 
worth noting however that this case is very rare and that there exist techniques 
such as widening [20] which can be used to speed up convergency. Many static 
analyses as groundness, sharing, based on an abstract semantics whose compu- 
tation requires (in the worst case) a number of iterations comparable to the one 
of our abstract semantics, have been successfully implemented in real analyzers 
such as Cl AO [12] and China [6]. 

The two following sections show how our abstract semantics can be applied 
to study universal termination and to analyze the fairness of the depth-first 
strategy. 

5 Universal Termination 

Let us formally introduce the notion of universal termination. 

Definition 5. A logic program P and a goal G universally terminate w.r.t. a 
set of selection rules S, if every SLD- derivation of P and G, via any selection 
rule from S, is finite. 

The early approaches to the characterization of terminating programs focused 
on universal termination w.r.t. all selection rules [8,9]. Indeed, this is a strong 
property holding only for simple programs and goals. Therefore the following 
step was the study of universal termination w.r.t. specific selection rules, and, in 
particular Prolog’s leftmost selection rule [3,4,5]. Recently, [39] has introduced 
the concept of 3-Universal Termination, which is related to the existence of at 
least one selection rule for which every SLD-derivation is finite. 
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Definition 6. [39] A program P and a goal G 3-universally terminate iff there 
exists a selection rule s such that every SLD- derivation of G via s is finite. 

Since fair selection rules select any atom of a goal in a finite number of steps, 
they allow a conjunctive goal to fail if at least one of its atom fails. Therefore, 
the following result holds. 

Theorem 6. [39] A program P and a goal G 3-universally terminate iff they 
universally terminate w.r.t. the set of fair selection rules. 

In [39] Ruggeri introduces a characterization of 3-universal termination by means 
of a notion of fair-bounded programs and queries, which provides us with a 
sound and complete method for proving 3-universal termination. Anyway this 
characterization is undecidable. 

By using our effective approximation 1P“[[P]], we can define sufficient yet ef- 
fective conditions. In fact, we can compute, for any given k, a superset of the 
goals which have at least an infinite derivation by a fair selection rule. There- 
fore, if, for a given k, a goal G (or, in general, a class of goals) has no infinite 
derivation according to Infp, we can conclude that the goal G (or the class of 
goals) 3-universally terminates. As a consequence of Theorem 4, we can state 
the following corollary. 

Corollary 1. ]27] Let P be a program and G = pi (ti ), . . . ,pTi(tTi) be a goal. 
The program P and the goal G 3-universally terminate iff there exists a k such 
that G Infp, i.e., for all Oi , . . . , Oti such that 

- for at least one i, i G (1 , . . . , n}, < 0 >G gfp(lP“[[P]])(p|(X|)), 

- /or i = n}, < Oi,o >g gfp(T“[[P]])(pi(xi)), 

there exists no mgu(G,pi (xi )ai , . . . ,Pn(Xn)o'n)- 

Since the depth-k domain is finite, once k is given, we can check that G ^ Infp 
in an effective way. Moreover, if G belongs to Infp, for a given k, yet it does 
3-universally terminate, we can always increase k, until we find a k for which 
the conditions of Theorem 1 are satisfied. 

Example 6. Let Ps be the following program. 

Ps : q(a) <- p(f(f(a))). 

<- P(x). 

Let k = 3 and w G W. 

gfp(?^[[P8]])(q(x)) ={< {x/a},0 >,< (x/a), □ >} 
gfp(3’^[[P8]])(p(x)) = {< {x/f(f(w))}, 0 >, < {x/f(f(w))}, □ >} 
q(x) G Infp. However the goal q(x) has a finite failure in Pg. Therefore, for 
k = 3, our analysis can not conclude that the goal q(x) terminates. 

We can then try to increase k to improve the precision of our analysis. 

For k = 4, 

gfp(3’^[[P8]])(q(x))={} 

gfp(3’^[[P8]])(p(x)) = {< {x/f(f(b))},0 >, < {x/f(f(b))}, □ >} 
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In this case we prove (by correctness of the approximation) that the goal q(x) 
terminates. In fact, for k = 4 , q(x) ^ Infp. It is worth noting that this is a 
very simple example, where the right k can be guessed just by looking at the 
program. Of course, this is not always the case for more complex programs. 

An advantage of the proposed method is that we can deal with classes of goals, 
for which the termination can be formally proved just by computing an abstract 
greatest fixpoint. In the following examples we sometimes deal with classes of 
goals defined extensionally using natural language. It is worth noting that such 
classes could be equivalently described using elements of a suitable composition 
of abstract domains (for groundness, types and depth-k)[ 19 ]. 

Example 7 . Consider the program Pi of Example 1 . Assume we want to prove 
that atjXiTj) always terminates. Let k = 2 . It can be checked that 

gfp(?^[[Pi]])(at(x,'y)) = {< {x/teIaviv,ij/fido}, □ >, 

< |x/jerusaIem,'y/fido}, □ >} 
gfp(lP“[[Pi]])(near(x)) = {< {x/jerusalem}, □ >} 

Note that atjx.ij) ^ Infp, since Infp = 0 . 

Consider now the program P9. We assume that the language of P9 contains 
also the constants a and b. 

P9 : reverse([x|xs],ijs) <- reverse(xs,Zs), append(zs, 
reverse([ ], [ ]). 

append) [x|xs], ij s, [x|zs]) <- append(xs,ijs,Zs) 
append([],ijs,'ys)- 

Assume we want to prove that reverse(x, p ) terminates whenever its first 
argument is a list of ground elements whose length is less than 1 00 or its second 
argument is a list of ground elements whose length is less than 100. 

For the sake of simplicity, we consider only elements of the form < — ,0 > in 
gfp(lP“[[P9]]), since the queries we are interested in are atomic. Let k = 101 
and wi , W2 € W. 
gfp(lP“[[P9]])(append(x,p,z)) = 

{< {x/[x^,X2 , . . . ,xioo,wi],p/pioo, z/[zi ,Z2, . . • , Zi oo , W2 ]}, 0 > | where 

xi , . . . , xi 00 , and Zi , . . . , Zi oo are 
variables in V or one of the constants a, b} 

gfp(?^[[P9]])(reverse(x,p)) = 

{< {x/[x^,X2 , . . . ,xioo,wi],p/[pi ,P2, . . . ,Pioo,W2]},0 > | where xi , . . . ,xioo, 

and p 1 , . . . , p 1 00 are variables in V 
or one of the constants a, b } 

Note that, any goal of the form reverse(x, p), such that x is a list of ground 
elements whose length is less or equal 1 00 or p is a list of ground elements whose 
length is less or equal 100, does not belong to Infp^\ i.e., there exists no mgu 
between such goals and reverse) [xi ,X2, . . . ,xioo,wi], [pi ,P2, • • • ,Pioo,W2]). 
Therefore, we may conclude that for our queries P9 terminates. 

On the other hand, for all k, reverse(x,p) G Infp. Therefore, for any k, we can 
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not conclude that the goal reverse(x, ij ) terminates in P 9 . Indeed this goal has 
an infinite derivation in P 9 . 

Let us now consider the program P 2 of Example 2. Again we consider only 
elements of the form < — , 0 > in gfp(lP“[[P 2 ]])- Let k = 4 and w G W. 
gfp(?^[[P 2 ]])(p(x,'y)) = { < {x/a,ij/f(f(f(w)))},0 >} 
gfp(lP^[[P 2 ]])(q(x,p)) = { < Wf(a),p/f(f(f(w)))}, 0 >} 

which allow us to prove that the goals q(t, p), where t does not unify with 
f(a), terminate, while the goals q(x,p), q(f(x),p), q(f(a),p) universally termi- 
nate only if p is a ground depth-4 term. 

Finally, let us consider the program Pm- 

P 10 : odd(s(x)) : — even(x) 

even(s(s(x))) : — even(x) 
even(O). 

Let k = 4 and w G W. 

gfp(lP“[[Pio]])(odd(x)) ={ < {x/s(0)},D >,< {x/s(s(s(0)))},D >, 

< (x/s(s(s(s(w))))}, □ >, < (x/s(s(s(s(w))))}, 0 >} 

gfp(?^[[Pio]])(even(x)) = { < {x/0}, □ >, < (x/s(s(0))}, □ >, 

< (x/s(s(s(s(w))))}, □ >, < (x/s(s(s(s(w))))}, 0 >} 

We can prove that the conjunctive goal even(x), odd(x) terminates whenever x is 
ground and its depth is less than 4. In this case, in fact, even(x), odd(x) ^ Infp. 
Note that, for any k, we can not prove that even(x), odd(x) terminates. Indeed 
this goal has an infinite derivation. 



6 Non-safe Programs and Goals 

The theory of logic programming tells us that SLD-resolution is sound and com- 
plete. As a consequence, given a program P, every SLD-tree for a goal G is 
a complete search space for finding an SLD-refutation of G. In the actual im- 
plementation of logic languages (e.g. Prolog), the critical choice is that of the 
tree-searching algorithm. Two basic tree-search strategies are: the breadth-first 
search, which visits the tree by levels, and the depth-first search, which visits 
the tree by branches. The former is a fair strategy, since it finds a success node 
if one exists, whereas the latter is incomplete, since success nodes can be missed 
if an infinite branch is visited first. Universal termination tells us that we can be 
independent from the search algorithm. This means that if the program P and 
the goal G universally terminate we can “safely” replace breadth-first search by 
depth-first search. This is not the only case where depth-first search is fair. For 
example, if a goal G does not universally terminate in P, yet it has no successful 
derivations, breadth-first search and depth-first search will not yield different 
results. 

Hence it is useful to have an effective way to understand, for a given program, 
which are the goals for which the choice of the search strategy becomes relevant. 
To study this problem we introduce the following set. 
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Definition 7. Let P be a program and G he a goal. 

Non — safe(P) = (G| G has at least one infinite 

and one successful derivation inP ] 

If G is non-safe in P, then the depth-first search is in general non-equivalent to 
the breadth-first search. The set of non-safe goals of P are the goals which do 
not universally terminate, yet they do existentially terminate successfully via a 
fair selection rule and a breadth-first search rule. 

Our goal is to find a correct upward approximation of the set of non-safe goals, 
i.e. if G is a non-safe goal in P then we want G to belong to our approximation. 
Since the set of non-safe goals contains goals which have at least a successful and 
an infinite derivation, we use our approximate semantics to single out the goals 
which have an infinite derivation. We also need information on goals which have 
a successful derivation. Of course we could use our approximate semantics as 
well to single out the goals which have a successful derivation. However, in order 
to improve the precision of the analysis we introduce an approximation on the 
depth-k domain of the answers computed by successful derivations obtained as a 
least fixpoint. The improvement in precision in this new approximation w.r.t. the 
information on exact answers of successful derivations is due to the fact that, 
since we are observing just the successful behavior (which is a finite behavior), we 
can use a least fixpoint computation. It is worth noting that a similar remark was 
already made by Cousot in [17]. Therefore we introduce the following abstract 
operator approximating computed answers, a domain A C [Goals — ^ S], where 
S is the set of sets of substitutions of Subst^. 

Definition 8. [15] T“[[P]]I = 

Ap(x).{(Xk(^) I 3p(t) <- B a renamed version w.r.t. x of a clause in P, 

B = Pi (ti Pn(tn), e I(pj(Xj)), 
d = (x/t) • mgu(B, (pi (xi )^1 , . . . ,Pn(Xn)^n))|x) 

The abstract fixpoint semantics is the Ifp of the T“[[P]] operator. 

By And-compositionality, we can define the set of^goals which have a suc- 
cessful derivation according to the information in Ifp(T“[[P]]). 

Definition 9. SucCp = 

{G I G = Pi (ti Pn(tn), /or i = n}, 3oi G Ifp(T^[[P]])(pi(Xi)) 

such that G and pi (xi )oi , . . . , Pn(Xn)o'n unifiable] 

In [15], it was proved that this is a correct upward approximation of the 
computed answers of the program P. Therefore we can state the following result. 



Theorem 7. [15] If G has at least a successful derivation in the program P, 
then for any k, G G SucCp . 

As a consequence of Theorems 4 and 7, we can state the following result. 

Corollary 2. [27] //3k, such that at least one of the following holds, G ^ SucCp 
or G ^ Infp, then a goal G ^ Non — safe(P). 




An Abstract Interpretation Approach to Termination of Logic Programs 377 



Therefore, for a given k, lfp(T“[[P]]) and gfp(T“[[P]]) allow us to define a cor- 
rect approximation of the non-safe set of goals of a program P. Note that the 
conditions in Definitions 4 and 9 can effectively be checked. 

Example 8. Consider the program Pn. 

Pn :t(a) <- p(x,ij), q(x,ij) 

q(f(f(p)), a) <- q(TJ,Tj) 

P(f(Tj),f(Tj)) <- P(P,P) 
p(a, a) 

Let k = 3 and wi,W 2 G W. For the sake of simplicity, we will consider only 

elements of the form < _, 0 >G gfp(lP“[[Pi i]])- 

gfp(lP“[[Pn]]) t(x) = {<{x/a},0>} 

gfp(iP“[[Pn]]) q(x,p) = { < Wf(f(wi)),p/f(f(w2))},0 >} 

gfp(lP“[[Pn]]) p((x,p) = {< Wf(f(wi)),p/f(f(w2))},0 >} 

ifp(n[[Pii]])tW = {} 

lfp(T^[[Pn]]) q(x,p) = { } 

lfp(lP“[[Pn]]) p(x,p) = {{x/a,v/a}, (x/f(a),p/f(a)}, 

{ x/f(f(wi)),p/f(f(w2))}} 

Looking at our approximations, we can conclude that q(x,p) (and all of its 
instances) are safe for any ff. Indeed, q(x,p) and all its instances do not belong 
to SucCp . Therefore, for these goals, depth-first search is equivalent to breadth- 
first search. The same holds for t(x) and all its instances, since t(x) and all its 
instances do not belong to SucCp. On the other side, p(x,p)q is safe just for 
q G {{x/f(xi),p/xi},{x/xi,p/f(xi)}} or whenever q is a grounding substitution 
for X or y, belonging to Substs. In this cases, in fact, p(x,q)q does not belong 
to Infp. 

Note that, for the goal p(x,q), we can not infer that a depth-first search 
is equivalent to a breadth-first search. In fact, in order to find the successful 
derivations for p(x,q) we need to use a breadth-first search. 

7 Future Work 

In this paper we have proposed an abstract interpretation approach to universal 
termination. We have provided a semantic foundation for such an approach and 
developed a new abstract domain useful for termination analysis. Following these 
guidelines, other methods can be derived simply by computing an abstraction of 
our concrete semantics. In particular, we believe that this framework could allow 
us to reconstruct most of the existing automatic methods such as [44,38,32,45,34] 
as abstractions of the “exact answers” semantics on a suitable abstract domain. 
Once the different methods have been reconstructed in our framework, we can 
use general results of abstract interpretation. In particular, by using the reduced 
product [19], an operation on abstract domains which allow us to formally de- 
fine a new abstract domain as the optimal combination of abstract domains, it 
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will be possible to combine the results of different approximations so that for 
each program and goal we can systematically obtain the most precise results. 
The resulting method can be viewed as a theoretical basis for the design of a 
refined system able to analyze termination of real Prolog programs. In order to 
achieve this goal, however, a further step needs to be performed, i.e. the abstract 
semantics has to be modified to take into account some Prolog features, such 
as control strategies and extra-logical features. We believe that it would not be 
very difficult, for example, to modify the abstract semantics in order to deal with 
Prolog selection rule. Then an analyzer able to deal with full Prolog programs 
can be implemented and compared on benchmarks with the existing systems 
[ 30 , 35 , 13 , 42 ]. 

Finally we would like to point out that even if the k in the abstraction must 
be “guessed”, we think that useful heuristics can be devised so as to provide 
“good” k’s. Anyway we remind that a coarse initial abstraction can be easily 
refined by incrementing such k’s. 
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Abstract. This paper introduces a novel approach for the specializa- 
tion of functional logic languages. We consider a maximally simplihed 
abstract representation of programs (which still contains all the neces- 
sary information) and define a non-standard semantics for these pro- 
grams. Both things mixed together allow us to design a simple and con- 
cise partial evaluation method for modern functional logic languages, 
avoiding several limitations of previous approaches. Moreover, since these 
languages can be automatically translated into the abstract representa- 
tion, our technique is widely applicable. In order to assess the practi- 
cality of our approach, we have developed a partial evaluation tool for 
the multi-paradigm language Curry. The partial evaluator is written in 
Curry itself and has been tested on an extensive benchmark suite (even 
a meta- interpreter) . To the best of our knowledge, this is the hrst purely 
declarative partial evaluator for a functional logic language. 



1 Introduction 

Partial evaluation (PE) is a source-to-source program transformation technique 
for specializing programs w.r.t. parts of their input (hence also called program 
specialization). PE has been studied, among others, in the context of functional 
programming (e.g., [9,21]), logic programming (e.g., [12,24]), and functional logic 
programming (e.g., [4,22]). While the aim of traditional partial evaluation is to 
specialize programs w.r.t. some known data, several PE techniques are able to 
go beyond this goal, achieving more powerful program optimizations. This is the 
case of a number of PE methods for functional programs (e.g., positive super- 
compilation [27]), logic programs (e.g., partial deduction [24]), and functional 
logic programs (e.g., narrowing-driven PE [4]). A common pattern of these tech- 
niques is that they are able to achieve optimizations regardless of whether known 
data are provided (e.g., they can eliminate some intermediate data structures, 
similarly to Wadler’s deforestation [28]). In some sense, these techniques are 
stronger theorem provers than traditional PE approaches. 

* This work has been partially supported by CICYT TIC 98-0445-C03-01, by Accion 
Integrada hispano-alemana HA1997-0073, and by the DFG under grant Ha 2457/Tl. 
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Recent proposals of multi-paradigm declarative languages amalgamate the 
most important features of functional, logic and concurrent programming (see 
[14] for a survey). The operational semantics of these languages is usually based 
on a combination of two different operational principles: narrowing and residua- 
tion [15]. The residuation principle is based on the idea of delaying function calls 
until they are ready for a deterministic evaluation (by rewriting). On the other 
hand, the narrowing mechanism allows the instantiation of variables in input 
expressions and, then, applies reduction steps to the function calls of the instan- 
tiated expression. Due to its optimality properties w.r.t. the length of derivations 
and the number of computed solutions, needed narrowing [6] is currently the best 
narrowing strategy for functional logic programs. The formulation of needed nar- 
rowing is based on the use of definitional trees [5], which define a strategy to 
evaluate functions by applying narrowing steps. 

In this work, we are concerned with the PE of functional logic languages. 
The first approach to this topic was the narrowing-driven PE of [4] , which con- 
sidered functional logic languages with an operational semantics based solely 
on narrowing. Recently, [2] introduced an extension of this basic framework in 
order to consider also the residuation principle. Using the terminology of [13], 
the narrowing-driven PE methods of [2,4] are able to produce both polyvariant 
and polygenetic specializations, i.e., they can produce different specializations for 
the same function definition and can also combine distinct original function def- 
initions into a comprehensive specialized function. This means that narrowing- 
driven PE has the same potential for specialization as positive supercompilation 
[27] and conjunctive partial deduction [10] (a comparison can be found in [4]). 

Despite its power, the narrowing-driven approach to PE suffers from several 
limitations: (i) Firstly, in the context of lazy functional logic languages, expres- 
sions in head normal form (i.e., rooted by a constructor symbol) cannot be 
evaluated at PE time. This restriction is imposed because the backpropagation 
of bindings to the left-hand sides of residual rules can incorrectly restrict the 
domain of functions (see Example 2). (ii) Secondly, if one intends to develop a 
PE scheme for a realistic multi-paradigm declarative language, several high-level 
constructs have to be considered: higher-order functions, constraints, program 
annotations, calls to external functions, etc. A complex operational calculus is 
required to properly deal with these additional features of modern languages. 
It is well-known that a partial evaluator normally includes an interpreter of the 
language. Therefore, as the operational semantics becomes more elaborated, the 
associated PE techniques become (more powerful but) also increasingly more 
complex, (iii) Finally, an interesting application of PE is the generation of com- 
pilers and compiler generators [21]. For this purpose, the partial evaluator must 
be self-applicable, i.e., able to partially evaluate itself. This becomes difficult in 
the presence of high-level constructs such as those mentioned in (ii) . As advised 
in [21], it is essential to cut the language down to the hare hones in order to 
achieve self-application. 

In order to overcome the aforementioned problems, a promising approach 
successfully tested in other contexts (e.g., [7,25]) is to consider programs written 
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in a maximally simplified programming language, into which programs written 
in a higher-level language can be automatically translated. Recently, [18] intro- 
duced an explicit representation of the structure of definitional trees (used to 
guide the needed narrowing strategy) in the rewrite rules. This provides more 
explicit control and leads to a calculus simpler than standard needed narrowing. 
Moreover, source programs can be automatically translated to the new repre- 
sentation.^ In this work, we consider a very simple abstract representation of 
functional logic programs which is based on the one introduced in [18]. As op- 
posed to [18], our abstract representation includes also information about the 
evaluation type of functions: ficible — which enables narrowing steps — or rigid 
— which forces delayed evaluation by rewriting. Then, we define a non-standard 
semantics which is specially well-suited to perform computations at PE time. 
This is a crucial difference with previous approaches [2,4], where the same mech- 
anism is used both for program execution and for PE. The use of an abstract 
representation, together with the new calculus, allows us to design a simple and 
concise automatic PE method for modern functional logic languages, breaking 
the limitations of previous approaches. 

Finally, since truly lazy functional logic languages can be automatically trans- 
lated into the abstract representation (which still contains all the necessary in- 
formation about programs), our technique is widely applicable. Following this 
scheme, partially evaluated programs will be also written in the abstract repre- 
sentation. Since existing compilers use a similar representation for intermediate 
code, this is not a restriction. Rather, our specialization process can be seen as 
an optimization phase (transparent to the user) performed during the compila- 
tion of the program. In order to assess the practicality of our approach, we have 
developed a PE tool for the multi-paradigm language Curry [19]. The partial 
evaluator is written in Curry itself and has been tested on an extensive set of 
benchmarks (even a meta-interpreter) . To the best of our knowledge, this is the 
first purely declarative partial evaluator for a functional logic language. 

The structure of this paper is as follows. After providing some preliminary 
definitions in Sect. 2, we present our approach for the PE of functional logic lan- 
guages based on the use of an abstract representation in Sect. 3. We also discuss 
the limitations of using the standard semantics during PE and, then, introduce 
a more suitable semantics. Section 4 presents a fully automatic PE algorithm 
based on the previous ideas, and Sect. 5 shows some benchmarks performed with 
an implementation of the partial evaluator. Finally, Sect. 6 concludes and dis- 
cusses some directions for future work. More details and missing proofs can be 
found in [3]. 

2 Preliminaries 

In this section we recall, for the sake of completeness, some basic notions from 
term rewriting [11] and functional logic programming [14]. We consider a [many- 

^ Indeed, it constitutes the basis of a recent proposal for an standard intermediate 
language, FlatCurry, for the compilation of Curry programs [20]. 
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sorted) signature S partitioned into a set C of constructors and a set T of 
(defined) functions or operations. We write c/n G C and f jn G T for n-ary 
constructor and operation symbols, respectively. There is at least one sort Bool 
containing the constructors True and False. The set of terms and constructor 
terms with variables (e.g., x, y, z) from V are denoted by T (CUlF, V) and T(C, V), 
respectively. The set of variables occurring in a term t is denoted by Vor(t). A 
term is linear if it does not contain multiple occurrences of any variable. We 
write olf for the sequence of objects oi, . . . , o„. We denote by root{t) the symbol 
at the root of the term t. A position p in a term t is denoted by a sequence of 
natural numbers. Positions are ordered by: m < u, if such that u.w = v. The 
subterm of t at position p is denoted by t\p, and t[s]p is the result of replacing 
the subterm t\p by the term s. 

We denote a substitution a by {xi ti, . . . with a(xi) = U for 

i = (where Xi yf Xj if t yf j), and a{x) = x for all other variables 

x. By abuse, T>om{a) = {x G V \ cr(x) yf a;} is called the domain of cr. Also, 
TZan{9) = {0{x) \ x G 'Dom{9)'\. A substitution cr is a constructor substitution, 
if a{x) is a constructor term \/x G T>om{a). The identity substitution is denoted 
by { }. Given a substitution 9 and a set P C V, we denote the substitution 
obtained from 9 by restricting its domain to V by 9^y. We write 9 = a [P] if 
0\v = E^nd 9 < a \V] denotes the existence of a substitution 7 such that 
'y o 9 = a [V]. A term t' is an instance of t if 3a with t' = a(t). 

A set of rewrite rules I = r such that I ^ V, and Var(r) C Var{l) is called 
a term rewriting system (TRS). The terms I and r are called the left-hand side 
and the right-hand side of the rule, respectively. A rewrite step is an application 
of a rewrite rule to a term, i.e., t ^p,R s if there exists a position p in t, a 
rewrite rule R = {I = r) and a substitution a with t\p = a{l) and s = t[a{r)]p. 
Given a relation — we denote by the transitive closure of and by — 
the transitive and reflexive closure of A (constructor) head normal form is 
either a variable or a term rooted by a constructor symbol. To evaluate terms 
containing variables, narrowing nondeterministically instantiates the variables 
so that a rewrite step is possible. Formally, t '^p,R,a- t' is a narrowing step if p is 
a non- variable position in t and a{t) ^p,R t' . We denote by to a sequence 

of narrowing steps to t„ with cr = cr„ o • • • o (ji . (If n = 0 then 

a = { }.) In functional programming, one is interested in the computed value 
whereas logic programming emphasizes the different bindings (answers). In an 
integrated setting, given a narrowing derivation to t„, we say that t„ is the 
computed value and a is the computed answer for to. 



3 Using an Abstract Representation for PE 

In this section, we present an appropriate abstract representation for modern 
functional logic languages. We also provide a non-standard operational semantics 
which is specially well-suited to perform computations during partial evaluation. 

First, let us briefly recall the basis of the narrowing-driven approach to PE of 
[4]. Informally speaking, given a particular narrowing strategy the (paramet- 
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ric) notions of resultant and partial evaluation are defined as follows. A resultant 
is a program rule of the form: <t(s) = t associated to a narrowing derivation: 
s t. A partial evaluation for a term s in a program TZ is computed by con- 
structing a finite (possibly incomplete) narrowing tree for this term, and then 
extracting the resultants associated to the root-to-leaf derivations of the tree. 
Depending on the considered class of programs (and the associated narrowing 
strategy), a PE might require a post-processing of renaming to recover the same 
class of programs. An intrinsic feature of the narrowing-driven approach is the 
use of the same operational mechanism for both execution and PE. 



3.1 The Abstract Representation 



Recent approaches to functional logic programming consider inductively sequen- 
tial systems as programs and a combination of needed narrowing and residuation 
as operational semantics [15,19]. The precise mechanism (narrowing or residua- 
tion) for each function is specified by evaluation annotations, which are similar 
to coroutining declarations in Prolog, where the programmer specifies conditions 
under which a call is ready for a resolution step. Functions to be evaluated in a 
deterministic manner are declared as rigid (which forces deferred evaluation by 
rewriting), while functions providing for nondeterministic evaluation steps are 
declared as firible (which enables narrowing steps). 

Similarly to [18], we present an abstract representation for programs in which 
the definitional trees (used to guide the needed narrowing strategy) are made 
explicit by means of case constructs. Moreover, here we distinguish two kinds 
of case expressions in order to make also explicit the flexible/rigid evaluation 
annotations. In particular, we assume that all functions are defined by one rule 
whose left-hand side contains only variables as parameters and the right-hand 
side contains case expressions for pattern-matching. Thanks to this new rep- 
resentation, we can define a simple operational semantics, which will become 
essential to simplify the definition of the associated PE scheme. The syntax for 
programs in the abstract representation is summarized as follows: 



TZ ::= Di . . . Dm 

D ::= f{vi, ...,Vn) = t 
p ::= c{vi, ... ,Vn) 



t ::= V 

I c(ti,...,t„) 

I f(ti,...,t„) 

I case to of {pi ^ ti; . . . ;p„ ^ tn} 

I fcase to of {pi ^ tr, ... \pn ^ t„} 



(variable) 
(constructor) 
(function call) 
(rigid case) 
(flexible case) 



where TZ denotes a program, D a function definition, p a pattern and t an ar- 
bitrary expression. A program TZ consists of a sequence of function definitions 
D such that the left-hand side is linear and has only variable arguments, i.e., 
pattern matching is compiled into case expressions. The right-hand side of each 
function definition is a term t composed by variables, constructors, function calls, 
and case expressions. The form of a case expression is: {f)case t of {cifxfff) 
t\, . . . , Ck{x„f , ) ^ tk}, where t is a term, ci, . . . , Cfe are different constructors of 
the type of t, and t\, . . . ,tk are terms (possibly containing case expressions) . 
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The variables are called pattern variables and are local variables which oc- 
cur only in the corresponding subexpression tt. The difference between case and 
/case shows up when the argument t is a free variable: case suspends (which cor- 
responds to residuation) whereas fcase nondeterministically binds this variable 
to the pattern in a branch of the case expression (which corresponds to narrow- 
ing). Functions defined only by fcase (resp. case) expressions are called fkible 
(resp. rigid). Thus, flexible functions act as generators (like predicates in logic 
programming) and rigid functions act as consumers. Concurrency is expressed 
by a built-in operator which evaluates its two arguments concurrently. This 
operator can be defined by the rule: True & True = True and, hence, in the 
following we simply consider it as an ordinary function symbol. 

Example 1. Consider the rules defining the (rigid) function “ ^ 



0 




n 


= True 


(Succ m) 




0 


= False 


(Succ m) 




(Succ n) 


= m ^ n 



By using case expressions, they can be represented by the following rewrite rule: 

X ^ y = case x of {0 ^ True; 

(Succ xi) — > case y of {0 — > False; 

(Succ yi) ^ xi ^ yi} } 

Due to the presence of fresh pattern variables in the right-hand side of the 
rule, this is not a standard rewrite rule. Nevertheless, the reduction of a case 
expression binds these pattern variables so that they disappear during a concrete 
evaluation (see [18]). 

3.2 The Residualizing Semantics 

An automatic transformation from inductively sequential programs to programs 
using case expressions is introduced in [18]. They also provide an appropriate 
operational semantics for these programs: the LNT calculus (Lazy Narrowing 
with definitional Trees), which is equivalent to needed narrowing over inductively 
sequential programs. In this work, we consider functional logic languages with a 
more general operational principle, namely a combination of (needed) narrowing 
and residuation. Nevertheless, the translation method of [18] could be easily 
extended to cover programs containing evaluation annotations; namely, flexible 
(resp. rigid) functions are translated by using only fcase (resp. case) expressions. 
Moreover, the LNT calculus of [18] can be also extended to correctly evaluate 
case j fcase expressions. In the following, we refer to the LNT calculus to mean the 
LNT calculus of [18] extended to cope with case j fcase expressions (the formal 
definition can be found in [3]). 

Unfortunately, by using the standard semantics during PE, we would have 
the same problems of previous approaches (see Sect. 1). In particular, one of the 

^ Although we consider in this work a hrst-order language, we use a curried notation 
in the examples (as is usual in functional languages). 
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main problems comes from the backpropagation of variable bindings to the left- 
hand sides of residual rules. In the context of lazy (call- by-name) functional logic 
languages, this can provoke an incorrect restriction on the domain of functions 
(regarding the ability to compute head normal forms) and, thus, the loss of 
correctness for the transformation whenever some term in head normal form is 
evaluated during PE. The following example illustrates this point. 

Example 2. Consider the following program: 

isZero 0 = True 

nonEmptyList (x : xs) = True 
foo X = isZero x : [] 

Here we use “[]” and as constructors of lists, and “0” and “Succ” to define 
natural numbers. Then, given the (unique) computation for foo y: 

foo y (isZero y) : [] '^{y_o} True : [] 

where (isZero y) : [] is in head normal form, we get the residual rule: 

foo 0 = True : [] 

However, the expression nonEmptyList (foo (Succ 0)) can be evaluated to True 
in the original program (reduced functions are underlined): 

nonEmptyList ( foo (Succ 0)) '^{} nonEmptyList (isZero (Succ 0) : []) 

True 

whereas it is not possible if the residual rule for foo is used (together with the 
original definitions for isZero and nonEmptyList). 

The restriction on forbidding the evaluation of head normal forms can drastically 
reduce the optimization power of the transformation in some cases. Therefore, we 
propose a residualizing version of the LNT calculus which allows us to avoid this 
restriction. In the new calculus, variable bindings are encoded by case expressions 
(and are considered “residual” code). The inference rules of the new calculus, 
RENT (Residualizing LNT), can be seen in Fig. 1. Let us explain the inference 
rules defining the one-step relation =^. We note that the symbols “|” and “]” 
in an expression like |t] are purely syntactical (i.e., they do not denote “the 
value of t”). Indeed, they are only used to guide the inference rules and, most 
importantly, to mark which part of an expression can be still evaluated (within 
the square brackets) and which part must be definitively residualized (not within 
the square brackets). Let us briefly describe the rules of the calculus: 

HNF. The HNF (Head Normal Form) rules are used to evaluate terms in head 
normal form. If the expression is a variable or a constructor constant, the 
square brackets are removed and the evaluation process stops. Otherwise, 
the evaluation proceeds with the arguments. This evaluation can be made 
in a don’t care nondeterministic manner. Note, though, that this source of 
nondeterminism can be easily avoided by considering a fixed selection rule, 
e.g., by selecting the leftmost argument which is not a constructor term. 
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HNF 



|t] => t if t e V or t = c() with c/0 G C 
^ c([tl], . . . , |t„l) 



Case-of-Case 

|(/)case {{f)case t of {pk tk}) of {p'- t/}] 



=> |(/)case t of {pk (f)case tk of {pt t/}}] 

Case Function 

|(/)case g{Uf) of {pk lif)case a{r) of {pk t/}] 

if g(x^) = r G TZ is a rule with fresh variables 
and a = {x„ tn} 



Case Select 

|(/)case c(t„) of {pk t/H => [cr(t')l if Pi = c(^), c GC, a = {x„ tn} 



Case Guess 

I(/)case X of {pk tk}j 

Function Eval 

[5(Q] 



{f)case X of {pk [o-fc(tfc)]} 
if (7i = {x Pi}, i = l,...,k 

|cr(r)] if g(x^) = r GlZis a rule with fresh 
variables and u = {xn tn} 



Fig. 1. RENT Calculus 



Case-of-Case. This rule moves the outer case inside the branches of the inner 
one. Rigorously speaking, this rule can be expanded into four rules (with 
the different combinations for case and fcase expressions), but we keep the 
above (less formal) presentation for simplicity. Observe that the outer case 
expression may be duplicated several times, but each copy is now (possibly) 
scrutinizing a known value, and so the Case Select rule can be applied to 
eliminate some case constructs. 

Case Function. This rule can be only applied when the argument of the case is 
operation-rooted. In this case, it allows the unfolding of the function call. 

Case Guess. It represents the main difference w.r.t. the standard LNT calculus. 
In order to imitate the instantiation of variables in needed narrowing steps, 
this rule is defined in the standard LNT calculus as follows: 

Ifcase X of {pk ^ tk}j [o-(fi)l if cr = {x pj, z = 1, . . . , fc 

However, in this case, we would inherit the limitations of previous approaches. 
Therefore, it has been modified in order not to backpropagate the bindings 
of variables. In particular, we “residualize” the case structure and continue 
with the evaluation of the different branches (by applying the corresponding 
substitution in order to propagate bindings forward in the computation). 
Note that, due to this modification, no distinction between flexible and rigid 
case expressions is needed in the RENT calculus. 

Function Eval. This rule performs the unfolding of a function call. As in proof 
procedures for logic programming, we assume that we take a program rule 
with fresh variables in each such evaluation step. 
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In contrast to the standard LNT calculus, the inference system of Fig. 1 is 
completely deterministic, i.e., there is no don’t know nondeterminism involved 
in the computations. This means that only one derivation can be issued from a 
given term (thus, there is no need to introduce a notion of RLNT “tree”). 

Example 3. Consider the well-known function app to concatenate two lists: 

app X y = case x of { [] y ! 

(a : b) ^ a : (app by)} 

Given the call app (app x y) z to concatenate three lists, we have the following 
(partial) derivation using the rules of the RLNT calculus: 

[app (app X y) z] 

=> [case (app x y) of {[] ^ z; (a : b) -> (a : app b z)}] 

=> [case (case x of {[] ^ y; (a’ : b^) — » (a’ : app b^ y)}) 
of {[] ^ z; (a : b) (a : app b z)}] 

=> [case X of { [] ^ case y of {[] — > z; (a : b) (a : app b z)}; 

(a^ : b^) ^ case (a’ : app b^ y) of {[] : z; (a : b) — > (a : app b z)}] 

=> case X of { [] ^ [case y of {[] ^ z; (a : b) ^ (a : app b z)}]; 

(a^ : b^) ^ [case (a’ : app b^ y) of {[] —> z; (a : b) ^ (a : app b z)}] 

case X of { [] ^ case y of {[] ^ z; (a : b) — ^ (a : [app b z)]}; 

(a^ : b^) ^ [case (a’ : app b^ y) of {[] ^ z; (a : b) — + (a : app b z)}] 

=^* case X of { [] case y of {[] z; (a : b) ^ (a : [app b z])}; 

(a : b') -> (a' : |app (app b' y) z])} 

The resulting RLNT calculus shares many similarities with the driving mecha- 
nism of [27] and Wadler’s deforestation [28] (although we obtained it indepen- 
dently by refining the original LNT calculus to avoid the backpropagation of 
bindings). The main differences w.r.t. the driving mechanism are that we in- 
clude the Case-of-Case rule and that driving is defined also for if_then_else 
constructs (which can be expressed in our representation by means of case ex- 
pressions). The main difference w.r.t. deforestation is revealed in the Case Guess 
rule, where the patterns pi are substituted in the different branches, like in the 
driving transformation. Although it may seem only a slight difference, situations 
may arise during transformation in which our calculus (as well as the driving 
mechanism) takes advantage of the sharing between different arguments while 
deforestation may not (see [27]). 

A common restriction in related program transformations is to forbid the 
unfolding of function calls using program rules whose right-hand side is not lin- 
ear. This avoids the duplication of calls under an eager (call-by- value) semantics 
or under a lazy (call- by-name) semantics implementing the sharing of common 
variables. Since our computation model is based on a lazy semantics, which does 
not consider the sharing of variables, we cannot incur into the risk of duplicated 
computations. Nevertheless, if sharing is considered (as in, e.g., the language 
Curry), this restriction can be implemented by requiring right-linear program 
rules to apply the Case Function and Function Eval rules. 
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Regarding the PE of programs with fkible/rigid evaluation annotations, 
[2] introduced a special treatment in order to correctly infer the evaluation an- 
notations for residual definitions. Within this approach, one is forced to split 
resultants by introducing several intermediate functions in order not to mix 
bindings which come from the evaluation of flexible and rigid functions. More- 
over, to avoid the creation of a large number of intermediate functions, only the 
computation of a single needed narrowing step for suspended expressions is al- 
lowed. Now, by using case expressions (instead of functions defined by patterns 
as in [2]), we are able to proceed the specialization of suspended expressions be- 
yond a single needed narrowing step without being forced to split the associated 
resultant (and hence without increasing the size of the residual program). This 
is justified by the fact that case constructs preserve the rigid or flexible nature 
of the functions which instantiate the variables.^ The following example is taken 
from [2] and illustrates that the use of case constructs to represent function 
definitions simplifies the residual program. 

Example 4- Consider a program and its PE for the term f x (g y (h z)), according 
to the technique introduced in [2] : 



f 0 (Succ 


0) 0 ; 


/o flex 


f' 0 Y Z 


= f ; Y z : 


/o flex 


g 0 0 


= (Succ 0) : 


rigid 


f( (Succ 0) Z 


II 

Hi 

to 

M 


/« rigid 


h 0 


= 0 ; 


/, flex 


Hi 

to 

O 


— ^3 


/, flex 








f ' 
^3 


= 0 : 


/o flex 



where f x (g y (h z)) is renamed as f' x y z. The original program can be 
translated to our abstract representation as follows: 

f X y = fcase x of {0 ^ fcase y of {(Succ 0) 0}} 

g X y = case x of {0 case y of {0 — > (Succ 0)}} 
h X = fcase x of {0 — > 0} 

The following PE for f x (g y (h z)), constructed by using the rules of the RENT 
calculus, avoids the introduction of three intermediate rules and, thus, is notably 
simplified: 

f ' X y z = fcase x of {0 — > case y of {(Succ 0) fcase z of {0 ^ 0}}} 

The next result establishes a precise equivalence between the standard semantics 
(the LNT calculus) and its residualizing version. In the following, we denote by 
=^Guess the application of the following rule from the standard semantics: 

I/case X of {pk tfe}] ^cuess if cr = (a; 1 -^ pj, 

Furthermore, we denote by delsq (t) the expression which results from t by delet- 
ing all the occurrences of “|” and “]” (if any). 

Theorem 1. Let t he a term, V 3 Var{t) a finite set of variables, d a con- 
structor term, and TZ a program in the abstract representation. For each LNT 

® Indeed, the treatment for case /fcase expressions is the same in the RENT calculus. 
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derivation |t] d for t w.r.t. TZ computing the answer a, there exists a 

RLNT derivation |i] t' for t w.r.t. TZ such that there is a finite sequence 
\delsq{t')\ =^'ouess ' ' ■ ^o"uess whcrc (T„ o . . . o (Ti = (T [V], and vice versa. 

Roughly speaking, for each (successful) LNT derivation from t to a constructor 
term d computing a, there is a corresponding RLNT derivation from t to t' in 
which the computed substitution a is encoded in t' by case expressions and can 
be obtained by a (finite) sequence of ^ Guess steps (deriving the same value d). 

4 Control Issues for Partial Evaluation 

Following [12], a simple on-line PE algorithm can proceed as follows. Given 
a term t and a program TZ, we compute a finite (possibly incomplete) RLNT 
derivation t =^"'" s for t w.r.t. TZ.^ Then, this process is iteratively repeated for 
any subterm which occurs in the expression s and which is not closed w.r.t. the 
set of terms already evaluated. Informally, the closedness condition guarantees 
that each call which might occur during the execution of the residual program 
is covered by some program rule. If this process terminates, it computes a set of 
partially evaluated terms S such that the closedness condition is satisfied and, 
moreover, it uniquely determines the associated residual program. 

First, we formalize the notion of closedness adjusted to our abstract repre- 
sentation. 

Definition 1. Let S he a set of terms and t he a term. We say that t is S -closed 
if closed {S,t) holds, where the relation “closed” is defined inductively as follows: 

true ift€V 

closed{S,ti) A . . . A closed{S,tn) if t = c(fi, . . . ,tn), c€C 

closedft') A Aie{i,....fc} closed{U) if t = {f)case t' of {pk tk} 
/\t'enan(0) closed{S,t') if 3s & S such that t = 6{s) 

A set of terms T is S-closed, written closed{S,T), if closed{S,f) holds for all 
t G T. 

According to this definition, variables are always closed, while an operation- 
rooted term is S'-closed if it is an instance of some term in S and the terms 
in the matching substitution are recursively S-closed. On the other hand, for 
constructor-rooted terms and for case expressions, we have two nondetermin- 
istic ways to proceed: either by checking the closedness of their arguments or 
by proceeding as in the case of an operation-rooted term. For instance, a case 
expression such as case t of {pi ti, . . . ,pk tk} can be proved closed w.r.t. 

5 either by checking that the set {t,ti, . . . , tk} is S-closed® or by testing whether 
the whole case expression is an instance of some term in S. 

^ Note that, since the RLNT calculus is deterministic, there is no branching. Thus, 
only a single derivation can be computed from a term. 

® Patterns are not considered here since they are constructor terms and hence closed 
by definition. 



closed{S, t) = 
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Example 5. Let us consider the following set of terms: 

S = {app a b, case (app a b) of {[] ^ z; (x : y) -> (app y z)} } . 

The following expression case (app a' b') of {[] ^ z'; (x' : y') — > (app y' z')} 
can be proved S-closed using the first element of the set (by checking that the 
subterms app a' b' and app y' z' are instances of app a b) or by testing that the 
whole expression is an instance of the second element of the set. 

The PE algorithm outlined above involves two control issues: the so-called local 
control, which concerns the computation of partial evaluations for single terms, 
and the global control, which ensures the termination of the iterative process but 
still guaranteeing that the closedness condition is eventually reached. Following 
[12], we present a PE procedure which is parameterized by: 

— An unfolding rule U (local control), which determines how to stop RENT 
derivations. Formally, U is a, (total) function from terms to terms such that, 
whenever U{s) = t, then there exists a finite RENT derivation |s] =>+ t. 

— An abstraction operator abstract (global control), which keeps the set of 
partially evaluated terms finite. It takes two sets of terms S and T (which 
represent the current partially evaluated terms and the terms to be added 
to this set, respectively) and returns a safe approximation of S' U T. Here, 
by “safe” we mean that each term in S U T is closed w.r.t. the result of 
abstract {S, T). 

Definition 2. Let TZ be a program and T a finite set of expressions. We define 
the PE function V as follows: 

V{TZ,T) = S if abstract{{},T) i — S and S i — S 

where i — is defined as the smallest relation satisfying 

S' = {s' \ sGS a U{s) = s'} 

S I — >-p abstract {S, S') 

We note that the function V does not compute a partially evaluated program, 
but a set of terms S from which a S-closed PE can be uniquely constructed 
using the unfolding rule U. To be precise, for each term s G S with U{s) = t, 
we produce a residual rule s = t. Moreover, in order to ensure that the residual 
program fulfills the syntax of our abstract representation, a renaming of the 
partially evaluated calls is necessary. This can be done by applying a standard 
post-processing renaming transformation. We do not present the details of this 
transformation here but refer to [3]. 

As for local control, a number of well-known techniques can be applied for 
ensuring the finiteness of RENT derivations, e.g., depth-bounds, loop-checks, 
well-founded (or well-quasi) orderings (see, e.g., [8,23,26]). For instance, an un- 
folding rule based on the use of the homeomorphic embedding ordering has been 
proposed in [4] . 

As for global control, an abstraction operator should essentially distinguish 
the same cases as in the closedness definition. Intuitively, the reason is that the 
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abstraction operator must first check whether a term is closed and, if not, try 
to add this term (or some of its subterms) to the set. Therefore, given a call 
ahstract{S,{i\), an abstraction operator usually distinguishes three main cases 
depending on t: 

— if t is constructor-rooted, it tries to add the arguments of t; 

— if it is operation-rooted and is an instance of some term in S, it tries to add 
the terms in the matching substitution; 

— otherwise (an operation-rooted term which is not an instance of any term in 
S), it is simply added to S (or generalized in order to keep the set S finite). 

Our particular abstraction operator uses a quasi- ordering, namely the homeo- 
morphic embedding relation < (see, e.g., [23]), to ensure termination and gen- 
eralizes those calls which do not satisfy this ordering by using the msg (most 
specific generalization) between terms.® 

As opposed to previous abstraction operators [4] , here we need to give a spe- 
cial treatment to case expressions. Of course, if one considers the case symbol as 
an ordinary constructor symbol, the extension would be straightforward. Unfor- 
tunately, this will often provoke a serious loss of specialization, as the following 
example illustrates. 

Example 6. Let us consider again the program app and the RLNT derivation of 
Example 3: 

[app (app X y) z] 

[case (case x of {[] ^ y; (a^ : b^) — + (a^ : app y)}) 
of {[] z; (a : b) ^ (a : app b z)}] 

case X of { [] case y of {[] ^ z; (a : b) — > (a : [app b z])}; 

(a : b') ^ (a' : |app (app b' y) z])} 

If one considers an unfolding rule which stops the derivation at the interme- 
diate case expression, then the abstraction operator will attempt to add only 
the operation-rooted subterms app b' y and app b y to the set of terms to be 
specialized. This will prevent us from obtaining an efficient (recursive) residual 
function for the original term, since we will never reach again an expression 
containing app (app x y) z (see Example 7). 

On the other hand, by treating case expressions as operation-rooted terms, the 
problem is not solved. For instance, if we consider that the unfolding rule returns 
the last term of the above derivation, then it is not convenient to add the whole 
term to the current set. Here, the best choice would be to treat the case symbol 
as a constructor symbol. Moreover, a similar situation arises when considering 
constructor-rooted terms, since the RLNT calculus has no restrictions to evaluate 
terms in head normal form. 

® A generalization of the set of terms S = is a pair (t, {9i, . . . ,6n}) 

such that, Vi € n}, Ofit) = U. The pair (t, {6i, . . . , On}) is the most specific 

generalization of S, written msg{S), if {t,{6i, . . . ,9n}} is a generalization and for 
every other generalization {t' , {6}, . . . , O'n}) of S, t' is more general than t. 
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Luckily, the RLNT calculus gives us some leeway. The key idea is to take 
into account the position of the square brackets of the calculus: an expression 
within square brackets should be added to the set of partially evaluated terms 
(if possible), while expressions which are not within square brackets should be 
definitively residualized (i.e., ignored by the abstraction operator, except for 
operation-rooted terms). 

Definition 3 . Given two finite sets of terms, T and S, we defined 



abstract{S, T) 



fS ifT=0 

{ abs{. . . abs{S,ti), ...,tn) ifT = {ti, . . . ,t„},n > 1 



The function abs{S,f) distinguishes the following cases: 



abs{S, f) 



'S iftev 

abstract{S, {ti, . . . ,tn}) if t = c(ti, . . . ,tn), cGC 

< abstract{S,{t',ti,...,tn})ift={f)case t' of {p„ ^ 
try.add{S,t) if t = f{ti, . . . ,t„), feT 

try.add{S,t') if t = ft'] 



Finally, the function try-add{S,t) is defined as follows: 



try -add {S , t) 



{ abstract{S \ {s}, {s'} U TZan{9\) U TZan{62)) 

if 3s G S. root{s) = root{t) and s <t, 
where (s', |6*i, 6*2}) = msg{{s,t}) 

S U {t} otherwise 



Let us informally explain this definition. Given a set of terms S, in order to add 
a new term t, the abstraction operator abs distinguishes the following cases: 

— variables are disregarded; 

— if t is rooted by a constructor symbol or by a case symbol, then it recursively 
inspects the arguments; 

~ if t is rooted by a defined function symbol or it is enclosed within square 
brackets, then the abstraction operator tries to add it to S with try.add 
(even if it is constructor-rooted or a case expression). Now, if t does not 
embed any comparable (i.e., with the same root symbol) term in S, then t 
is simply added to S. Otherwise, if t embeds some comparable term of S, 
say s, then the msg of s and t is computed, say (s', {01,6*2}), and it finally 
attempts to add s' as well as the terms in 0i and 62 to the set resulting from 
removing s from S. 

Let us consider an example to illustrate the complete PE process. 



Example 7 . Consider the program T^app which contains the rule defining the 
function app. In order to compute 7 ^( 7 ^app, {app (app x y) z}), we start with: 

So = abstract{{\ , {app (app x y) z}) = {app (app x y) z} 

^ The particular order in which the elements of T are added to S by abstract cannot 
affect correctness but can degrade the effectiveness of the algorithm. A more precise 
treatment can be easily given by using sequences instead of sets of terms. 
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For the first iteration, we assume that: 

^(app (app X y) z) = 

case X of { [] — > case y of {[] —>■ z; (a : b) — ^ (a : |app b z])}; 

(a' : b') (a' : |app (app b' y) z])} 

(see derivation in Example 3). Then, we compute: 

Si = abstract{So, {Zi(app (app x y) z)}) = {app (app x y) z), app b z} 

For the next iteration, we assume that: 

Zi(app b z) = case b of {[] — > z; (c : d) — > c : |app d z] } 

Therefore, abstract{Si, |Z//(app b z)}) = Si and the process finishes. The associ- 
ated residual rules are (after renaming the original expression by dapp x y z): 

dapp X y z = case x of { [] — > case y of {[] -^ z; 

(a : b) ^ (a : app b z)}; 

(a' : b') — > (a' : dapp b' y z)} 

app b z = case b of { [] ^ z; (c : d) ^ (c : app d z)} 

Note that the optimized function dapp is able to concatenate three lists by 
traversing the first list only once, which is not possible in the original program. 

The following proposition states that the operator abstract of Def. 3 is safe. 

Proposition 1. Given two finite sets of terms, T and S, if S' = abstract (S,T), 
then for all t G (S U T), t is closed with respect to S' . 

Finally, we establish the termination of the complete PE process: 

Theorem 2. Let TZ be a program and S a finite set of terms. The computation 
ofV{TZ,S) terminates using a finite unfolding rule and the abstraction operator 
of Def 3. 



5 Experimental Evaluation 

In order to assess the practicality of the ideas presented in this work, the im- 
plementation of a partial evaluator for the multi-paradigm declarative language 
Curry has been undertaken.® Curry [19] integrates features from logic (logic vari- 
ables, partial data structures, built-in search), functional (higher-order functions, 
demand-driven evaluation) and concurrent programming (concurrent evaluation 
of constraints with synchronization on logical variables). Furthermore, Curry is 
a complete programming language which is able to implement distributed appli- 
cations (e.g. Internet servers [16]) or graphical user interfaces at a high-level [17]. 
In order to develop an effective PE tool for Curry, one has to extend the basic 

® It is publicly available at http://www.dsic.upv.es/users/elp/soft.html. 
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Benchmark 


mix 


original 


specialized 


speedup 


all ones 


470 


430 


290 


1.48 


double _app 


510 


370 


320 


1.16 


double_f lip 


750 


550 


400 


1.37 


kmp 


1440 


730 


35 


20.9 


length.app 


690 


310 


290 


1.07 



Table 1. Benchmark results 



PE scheme to cover all high-level features. This extension becomes impractical 
within previous frameworks for the PE of functional logic languages due to the 
complexity of the resulting semantics. By using an abstract representation and 
translating high-level programs to this notation (see [20]), the extension becomes 
simple and effective. A detailed description of the concrete manner in which each 
feature is treated can be found in [3]. Moreover, as opposed to previous partial 
evaluators for Curry (e.g., Indy [1]), it is completely written in Curry. To the 
best of our knowledge, this is the first purely declarative partial evaluator for a 
functional logic language. 

Firstly, we have benchmarked several examples which are typical from par- 
tial deduction and from the literature of functional program transformations. 
Table 1 shows the results obtained from some selected benchmarks (a complete 
description can be found, e.g., in [4]). For each benchmark, we show the spe- 
cialization time including the reading and writing of programs (column mix), 
the timings for the original and specialized programs (columns original and spe- 
cialized), and the speedups achieved (column speedup). Times are expressed in 
milliseconds and are the average of 10 executions on a Sun Ultra-10. Runtime 
input goals were chosen to give a reasonably long overall time. All benchmarks 
have been specialized w.r.t. function calls containing no static data, except for 
the kmp example (what explains the larger speedup produced). Speedups are 
similar to those obtained by previous partial evaluators, e.g.. Indy [1]. Indeed, 
these benchmarks were used in [4] to illustrate the power of the narrowing-driven 
approach (and are not affected by the discussed limitations). This indicates that 
our new scheme for PE is a conservative extension of previous approaches on 
comparable examples. Note, though, that our partial evaluator is applicable to 
a wider class of programs (including higher-order, constraints, several built-in’s, 
etc), while Indy is not. 

Secondly, we have considered the PE of the collection of programs in the 
Curry library (see http://www.informatik.uni-kiel.de/~curry). Here, our 
interest was to check the ability of the partial evaluator to deal with realistic 
programs which make extensive use of all the features of the Curry language. 
Our partial evaluator has been successfully applied to all the examples producing 
in some cases significant improvements. We refer to [3] for the source code of 
some benchmarks. Finally, we have also considered the PE of a meta-interpreter 
w.r.t. a source program. Although the partial evaluator successfully specialized 
it, regarding improvement in efficiency, the results were not so satisfactory. To 
improve this situation, we plan to develop a binding-time analysis to determine. 
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for each expression, whether it can be definitively evaluated at PE time (hence, it 
should not be generalized by the abstraction operator) or whether this decision 
must be taken online. This kind of (off-line) analysis would be also useful to 
reduce specialization times. 

Altogether, the experimental evaluation is encouraging and gives a good im- 
pression of the specialization achieved by our partial evaluator. 

6 Conclusions 

In this work, we introduce a novel approach for the PE of truly lazy functional 
logic languages. The new scheme is carefully designed for an abstract represen- 
tation in which high-level programs can be automatically translated. We have 
shown how a non-standard (residualizing) semantics can avoid several limitations 
of previous frameworks. The implementation of a fully automatic PE tool for 
the language Curry has been undertaken and tested on an extensive benchmark 
suite. To the best of our knowledge, this is the first purely declarative partial 
evaluator for a functional logic language. Moreover, since Curry is an extension 
of both logic and (lazy) functional languages, we think that our PE scheme can 
be easily adapted to other declarative languages. 

From the experimental results, we conclude that our partial evaluator is 
indeed suitable for “real” Curry programs. Anyway, there is still room for further 
improvements. For instance, although self-application is already (theoretically) 
possible, the definition of a precise binding-time analysis seems mandatory to 
achieve an effective self-applicable partial evaluator. On the other hand, we have 
not considered a formal treatment to measuring the effectiveness of our partial 
evaluator. Another promising direction for future work is the development of 
abstract criteria to formally measure the potential benefit of our PE algorithm. 
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Abstract. In this paper we present a binding-time analysis for the logic 
programming language Mercury. Binding-time analysis is a key analysis 
needed to perform off-line program specialisation. Our analysis deals 
with the higher-order aspects of Mercury, and is formulated by means of 
constraint normalisation. This allows (at least part of) the analysis to 
be performed on a modular basis. 



1 Introduction 

Mercury is a recently introduced logic programming language, comprising many 
features needed for modern software engineering practice: polymorphism, type- 
classes and a strong module system are some examples of the means available 
to the programmer to design and build modular programs that employ a lot of 
abstraction and reuse of general components. 

Employing abstraction and generality, however, imposes a penalty on the effi- 
ciency of the resulting program due to the presence of for example procedure calls 
and tests for which the input is (partially) known at compile-time. To overcome 
this performance problem, the Mercury compiler performs several optimizations 
on the original source code. Although most of these optimizations are imple- 
mented as different processes during compilation, some of them are instances of 
the more general framework of partial evaluation. Examples are inlining of pro- 
cedure bodies, higher-order call specialisation, specialisation of type-info’s [4]. A 
problem shared by these optimizations is knowing at what points in the code 
enough information is present to apply the optimization under consideration. 
Currently, this problem is solved mostly by using some heuristics that are hard 
coded in the analysis. 

A more general approach is the use of binding-time analysis (BTA) to perform 
a thorough dataflow analysis, and propagate information through the program 
about what variables are definitely bound to a value at compile-time, indepen- 
dent of the program’s runtime input. Such information can be used by a so-called 
off-line program specialiser to partially evaluate certain parts of the code w.r.t. 
some given input. An advantage of the more general approach is that the results 
of BTA can be shared by more than one optimization. As such, different opti- 
mizations do not need to redo the analysis, additional optimizations can more 
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easily be plugged in, and precision improvements of the BTA have an impact 
on a broader scope of optimizations. The results of BTA can be shown as an- 
notations on the original source code and provide as such excellent feedback to 
the user, enabling a better understanding of why several optimizations are (not) 
performed. 

In a logic programming setting, work on partial evaluation has mainly con- 
centrated on on-line specialisation (where the specialisation process is controlled 
by the concrete input rather than by a previous analysis [6,11]). Consequently, 
little attention has been paid to off-line specialisation and BTA [9,12,2]. In pre- 
vious work [16] we have defined a completely automatic BTA for a subset of 
the logic programming language Mercury. The current work reformulates and 
extends our previous work extensively: in contrast with [16], our analysis now 
deals with the higher-order aspects of Mercury, and its formulation by constraint 
solving allows it to be performed (at least partially) on the same modular basis 
as compilation. 

Binding-time analysis has been studied thoroughly before in the context 
of functional languages (e.g. [1,7,5]). In this context, the actual binding-time 
analysis is usually preceded by a flow (or closure) analysis to determine the 
higher-order control flow in a program (e.g. [8,13]). In [1], such a flow analy- 
sis is combined with a monovariant binding-time analysis by constraint solving. 
The work in [7,5] describes a polyvariant BTA by deriving binding-time descrip- 
tions that are polymorphic w.r.t. the binding-times of a function’s arguments. 
The described analysis deals with a monomorphic lambda-calculus like language. 
Techniques exist [10] to deal with more involved type systems and partially static 
data structures. 

This work adapts and generalises ideas from BTA of functional programs in 
several ways. Basing our domain of binding-times on the type system of Mercury 
enables us to handle type polymorphism, represent partially static data struc- 
tures and propagate closure information as part of the binding-time information. 
Hence our analysis does not require a separate closure analysis, but computes 
this information using a single set of constraints. Our analysis is polyvariant: it 
computes different binding-times for the variables in a predicate depending on 
the binding-times (including the closure information) of the predicate’s input 
arguments. In this work, we develop the basic machinery for such a binding- 
time analysis for the logic programming language Mercury. Since Mercury is 
a language specifically tuned towards use in large scale applications, programs 
written in Mercury usually consists of a number of modules. Hence, performing 
(at least a large part of) the analysis one module at a time is crucial for such 
applications. We are closely collaborating with the Mercury developers in Mel- 
bourne to implement a BTA based on the presented material in a version of the 
Mercury compiler which should enable to perform some large scale experiments. 

The remainder of the paper is organised as follows: In Sect. 2 we describe 
the technique of BTA by constraint solving for a first order subset of Mercury, 
emphasising on the modular approach. In Sect. 3, we alter the technique to deal 
with the higher-order aspects of the Mercury language. 
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2 BTA by Constraint Solving: A First-order Setting 

Binding-time analysis is about knowing what runtime values will be known al- 
ready at compile-time, without being interested in the values themselves. In 
order to be useful when complex data structures are involved, the analysis must 
deal with values that are partially known at compile-time. First, we describe a 
suitable domain for representing such knowledge that was originally introduced 
in [16]. The analysis itself is presented afterwards. 

2.1 A Precise Domain of Binding-Times 

In a statically typed language like Mercury, the set of possible values a program 
variable can have at runtime can be described at compile time by a finite type 
graph. Consider for example the definition of a type list(T), denoting a poly- 
morphic list, where such a list is either the empty list (denoted by []) or a cons 
(denoted by [ | ]) of a value of type T and a list of T. A possible type graph for 
this type is denoted in Fig. 1. 




A suitable domain of binding-times is obtained by associating the label static 
or dynamic to every or-node in the type graph, the idea being that if a node is 
labelled dynamic respectively static, the corresponding subterm(s) in the value 
described by the binding-time are free, respectively bound to a functor. Also in 
Fig. 1, Ti, T 2 and ra represent such associations denoting, respectively a value 
that is completely known at compile-time, a value for which the skeleton of the 
list is definitely known at compile-time but the elements are not, and a value 
that is possibly completely unknown at compile-time. 

We first introduce the necessary concepts and notation. The basic Mercury 
entity our analysis deals with is a compilation unit; that is a Mercury module 
M together with the definitions from the interfaces of the modules that are 
imported by M. Throughout the paper, we often simply refer to such a unit as 
a ’’module”, though. Let 7y, Tq and Tp denote the sets of respectively type 
variables, type constructors and type functors for a given module. 

In this section, we consider only first-order types: a type variable or a type 
constructor applied to a number of types 
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Definition 1. Let MT denote the set of all possible types for a program P: 
MT ::= V &Tv\ 

7 (ti, . . . , tn) with j/n G Tq and U G MT, \/i G {1 . . . n} 

Each type constructor 7 /n G 7^ is defined by a type definition in P. The set 
of all these definitions is denoted by TDef . 

Definition 2. A type constructor is defined as follows, with the constraint that 
all type variables occurring in the right hand side also occur in the left hand side. 

TDef ::=-/{Vi,...,Vn) — > ci{ti,, . . . . ; ci{ti,, . . . ,ti^^). 

where 7 /n G Tp, c, G Tp, Vi G Tv and ti- G MT 

A type substitution is defined as a mapping TSubst : Ty 1 -^ MT. To ease nota- 
tion, we define the following shorthand notation to denote the set of construc- 
tors of a type and a specific subtype of a type: For a type t G MT, define 
Ct = {ci/mi, . . . , cijmi} C 7> and STf''^ = U^kO if t = ^{Vi, ..., Vn)0 with 9 G 
TSubst and 7 (^ 1 , . . . , 14) — > ; . . . ; c/(b,i, . . . G TDef. 



Example 1. The type list(T) introduced above is formally defined by the fol- 
lowing definition: 

:- type list(T) > [] ; [T I list(T)]. 

Given the type list{T), Cust(T) = {[]/0> [l]/2| and = T and = 

list(T). 

In what follows, we represent a sequence over a set S by (S'); () denotes the 
empty sequence, and {d\,. . . , dn) • {e\, ... , Cm) denotes the concatenation of the 
two sequences, resulting in the new sequence (di, . . . , Ci, . . . , Cm). For any 
sequence S, Si denotes the t’th element of S, if it exists. 

We will often need to refer to subvalues of values, according to a type tree. 
Since a node in a type tree is uniquely defined by a path from the root towards 
it, we define the notion of a type path as a sequence over Tp x IN. The set of 
all type paths is denoted by TPath. Type paths are used to select (type) nodes 
in a type graph: For a type t, t^'^ = t and denotes tf,j. if c G Ct and 

I QrjiC.,k 

Given the notion of type paths, we can define a (possibly infinite) type tree 
in a straightforward way: 

Definition 3. For a type t G MT, the first order type tree of t, Ct G is 

recursively defined as: 

- {) G Ct 

— if t = 7 (ti, . . . , t„) with 7 G 74 then 'icjn G Ct, k G {!,..., n}, ((c, k)) • 6 G 
Ct where 6 G Ct^ i, and tc,k = STf’^. 
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Recursive type definitions correspond to infinite type trees. However, to con- 
sider finite type graphs, it is sufficient to impose an equivalence relation on the 
set of type paths for a given type, turning it into a finite set. We consider two 
type paths S, S' to be equivalent w.r.t a type t if and only if <5 = (5' • 7 (for some 
7 G TPath) and . Let = denote the transitive closure of the equivalent 

relation and Cf denotes a type tree modulo =. 

Example 2. For list{T) as defined in Example 1, = {(), (([ | ], 1))}, since 

the path referring to the recursive occurrence of list(T), (([ | ],2) is equivalent 
with (). 

If we introduce the domain B = {static, dynamic}, we can define a binding- 
time for a type t by a labelling of Cf ’s nodes as follows: 

Definition 4. A binding-time for a type t G MT is a function t : Cf B 
such that yS G dom{T) : t{6) = dynamic implies that t{5') = dynamic for all 
S' G dom{T),S' = S • e. The set of all binding-times (regardless their type) is 
denoted by BT. 

We impose the ordering dynamic > static on B which induces an ordering on 
BT: Ti > T 2 if and only if ri(i5) > T 2 (S) for all S G TPath. In Fig. 1, for example, 

T 3 > T 2 > Ti . 



2.2 Generating a Constraint System 

The task of BTA can be described as follows: given binding-times for a predicate’s 
input arguments, compute binding-times for the predicate’s remaining variables. 
In [16], we formulated BTA for a subset of Mercury as a top-down, call dependent 
analysis. Extending such a call dependent analysis to deal with multi-module 
programs is nontrivial and often leads to duplication of analysis efforts. In this 
work, we reformulate BTA in a constraint-solving setting, enabling an efficient 
modular approach: First, the data flow inside a predicate is examined resulting 
in a number of constraints on the variables’ binding-times. These constraints are 
created without taking the call pattern of interest into account. Next, the least 
solution to this constraint system, combined with the call pattern of interest, 
provides a binding-time for each variable that is both correct and as much static 
as possible. 

First, we show how to translate a module to a constraint system. Such a 
module can be considered as a set of procedures, which are obtained by trans- 
lating the original predicates and functions to super homogeneous form [15]. The 
definition of a procedure is converted to a single clause: the arguments in the 
head of the clause and in predicate calls in the body are distinct variables, ex- 
plicit unifications are generated for these variables in the body goal, and complex 
unifications are broken down into several simpler ones. A goal is either an atom 
or a number of goals connected by conjunction, disjunction, if then else or not. 
An atom is either a unification or a procedure call. 
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Definition 5. 

Proc ::= , Hn) : —G with p G Tp, G G Goal, Hi, , Hn G Var 

Goal ::= Atom \ not G \ (Gi, G2) | (Gi; G2) | if G\ then G2 else G3 
with G, Gi , G2, G3 G Goal 

Atom ::= X = f{Y\ . . . , F") | X = y | p{Y\ . . . , F") 

with X,Y,Y^ , . . . , F” G Var, f gTf and p G Tp 

An essential part of compiling a Mercury module is mode analysis [ 15 ]. Dur- 
ing this analysis, unifications are split into four different types, according their 
data flow: test denoted by X == F (where X and F are both input and of 
atomic type - that is having a type tree consisting of only the root node), as- 
signment denoted by A := F (where F is input, X is output), construction 
denoted by A 4 = /(F^,...,F”) (where A is output, F^,...,F” input and 
/ G Tp) and deconstruction denoted by F /(A^, . . . , A") (where F is input, 
A^,...,A” output and / G Tp). For a procedure p, Arg{p) denotes the se- 
quence {Hi, . . . , Hn) of p’s formal arguments. Each atom in a procedure’s body 
is uniquely identified by a program point {PP). 

Example 3. Consider the predicate append{list{T) :: in,list{T) :: in,list{T) :: 
out) where for each argument position t :: in or t :: out denotes that the corre- 
sponding argument is of type t and is an input, respectively output argument. 
The predicate is defined as follows, where each atom is subscribed with a natural 
number, representing its program point. 

{appendix, Y, F)}q:- {A ^ []}i,{Z := F}2; 

{X^[E\ Es]h, {append{Es, Y, R)}^, {Z <= [E\R]}5. 

Variables can be initialised in different branches of a disjunction (or if-then- 
else). To improve precision, we associate different binding-times to such variables, 
one for each occurrence in such a branch. Notationally we distinguish between 
such occurrences by subscribing a variable with the program point (represented 
by a natural number) where it got initialised. In the append example, Z2 denotes 
the occurrence of Z in the first branch of the disjunction, whereas Z5 denotes the 
occurrence of Z in the second branch. We identify the head of a procedure with 
program point ”0” and use this program point to denote input arguments and 
(final occurrences) of output arguments. The set of all occurrences of variables 
is denoted by Varpp. 

When computing the binding-time of a variable, it is mandatory to take 
the right (sub)set of its occurrences into account. We therefore introduce the 
following notions: An execution path in a predicate p is a sequence of program 
points in p denoting a possibly nonfailing derivation of the atoms associated to 
the program points. Two program points pi and p2 share an execution path in p 
if there exists an execution path S' in p such that both pi and p2 are elements of 
S. We define the function init : Var x PP ^ as init{X,pp) = {App/ | A 

got initialised at pp' and pp and pp' share an execution path}. 
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Example 4- In the append example, the only two execution paths are (0, 1,2) 
and (0,3,4, 5). We have, for example, that init{Y,2) = {Tq}, = {ATo}, 

init{E,5) = {E^} and init{R,5) = {-R 4 }. 

The binding-times that can be associated to (an occurrence of) a variable 
are constrained by the binding-times of those variables it is related to through a 
data flow relation. To express data flow relations in terms of binding-times, we 
introduce the notion of a binding-time constraint. 

Definition 6. A binding-time constraint is denoted as Xpp > S , where Xpp G 
Varpp, S G TPath and S = static | dynamic | Ypp,{with Ypp> G Varpp and 7 G 
TPath). The set of all binding-time constraints is denoted by Be- 

Due to the well-modedness of Mercury procedures, it is possible to trace the 
dataflow back to the procedure’s input arguments, and consequently to express 
the binding-time constraints on a variable in function of the binding-times of the 
procedure’s (input) arguments. Binding-time constraints in this format are said 
to be in normal form. 

Definition 7. A binding-time constraint Xpp > S is in normal form if its right- 
hand side S is either static, dynamic or Yg with Y being an input argument. 

In particular, we are often interested in the normalised binding-time con- 
straints on a procedure’s output arguments. For a procedure p, we denote with 
p’s normal form a set of binding-time constraints, where the left-hand side is an 
(output) argument of p. We start by defining how to translate a procedure into a 
set of binding-time constraints. A unification can straightforwardly be translated 
to a set of binding-time constraints on the involved variables, whereas translating 
a call to a set of binding-time constraints requires the called predicate’s normal 
form. If we denote with /i a function Proc 2^'^ such that for a procedure q, 
li{q) denotes g’s normal form, we can define for any atom A its associated set of 
binding-time constraints as Ap,{A), where A is defined as follows: 

Definition 8. Consider an atom at program point pp. Ap,{A) is as follows, de- 
pending on the type of atom: 

{} 

{Xpp > Yppy I Yppy G init{Y,pp)} 

f {Xpp > statiejU 

> Y^p^^ I Y^p^^ G init{Y^,pp)} 

U...U 

^ I Y^p^„ G mtt{Y-,pp)} 

{X^p > I Yppy G init{Y,pp)} 

< U...U 

[ {X^p > I Yppy G init{Y,pp)} 

C^(p)(p(Ai,...,X")) 



Ap{X == Y) 

Ap(X := Y) 

A^(A^/(yi,...,r")) = 

A^(y^/(Ai,...,X")) = 
AMX\.-.,X^)) 
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where Cn{p{X^, . . . ,X”)) is defined as 

> Xg I X^p. e initiXfipp) and Pf > pf € N} 

U {Xpp > c \ Pq > cG N with c = static or dynamic} 
where {P^, . . . F”) = Arg{p) 

Due to the well-modedness of procedures, the set init{Y,pp) in Definition 8 con- 
tains program points that precede the unification in the procedure’s body. Nat- 
urally, an atom constrains only the binding-time(s) of its output variable(s) in 
order to comply with the congruence [8] condition: if a (subvalue of) a variable 
is constructed using (a subvalue of) another variable, then the corresponding 
subvalue in the former’s binding-time should be at least as dynamic as the cor- 
responding part in the latter’s binding-time. Note that a construction with a 
constant, X 4= c, leads to a (superfluous) constraint X > static whereas a de- 
construction with a constant X ^ c leads to no constraints at all. The function 
Cfi{p) maps the normal form of p’s binding-time constraints - expressed in terms 
of the formal arguments Pq - to the actual arguments of the call to p: Pq in a 
left-hand side occurrence is replaced by Xpp] Pq in a right-hand side occurrence 
is replaced by Xpp. with ppi the program point(s) where X* gets initialised. 

Now, we are in a position to define the set of constraints associated to a 
procedure: 

Definition 9. Given p : Proc i-^- 2^^’ such that p{q) denotes q ’s normal form, 
we define for a procedure p{P ^, . . . , F") : —G 

BTCp(p) = F U U MA) 

atom AeG 

where T = {Pq > Pf,p \ Pifp G init{P'‘, 0) and F* an output argument] 

Note that in the above definition, F links the final binding-time of p’s output 
arguments to each occurrence of that argument in p’s body where it is initialised. 



Example 5. If we consider p{append) = {} for the append procedure from Ex- 
ample 3, BTCappip) is defined as: 



Zq >Z2 Z2> Yq Fa > 

Zq P Zb Esq > Xq 



Zb > Ri 



Bringing a set of binding-time constraints to normal form can be achieved 
by repeatedly unfolding the variable in the right-hand side, replacing it with 
the right-hand sides of the constraints that exist on that value. Unfolding is 
complicated by the use of subvalues, since a variable may need to be unfolded 
w.r.t. constraints that define a subvalue as well as a supervalue of the former. If 
we consider two subvalues of a variable, say X^ and X'^ , we know that one of 
them is a subvalue of the other if either 5 is an extension of 7 or vice versa. 
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Definition 10. We define ext : TPath x TPath i— > TPath x TPath as follows: 

ext{j, 6 ) = ( 0 , 77 ) if-f = S*ri 
ext{j, 6 ) = (? 7 , 0 ) ifj»r] = S 



and undefined otherwise. 

Note that if ext{'^, S) = (a, fi) then 7*0 = 6 • fi. Unfolding a constraint 
^ppx — ^PPY w-i'-t- a set of constraints results in a set of new constraints on 
(possible subvalues of) , with as right hand sides the appropriate subvalues 
of the right hand sides of the constraints that were used for unfolding. To denote 
a subvalue of a constraint’s right-hand side S, we use the notation S*^. If S 
denotes the variable then S'”* equals Xffffi. Otherwise, if S denotes the 
constant static or dynamic, S”* simply equals S. 

projecfix;^^ > > s'”*^ | > s' &v 

and ext{5,5') = ( 771 , 772 )} 

Note that unfolding results in an empty set when the right-hand side that 
is unfolded is a variable on which no constraints are defined. Normalising a 
constraint set then consists of repeatedly selecting a constraint that is not yet 
in normal form and replacing it with the constraints resulting from unfolding, 
until a fixed point is reached. 

Definition 11. We define compr^ : 2®*’ 2*^** as follows: 

compPpiV) =V\ {X^px > Yppy I X^p^ > Y^p^ G V and ppy 0} 

U project{X^p^ > Y^p ^ , V) 

and use the classical notation to apply compPp a number of times starting with 
a set V: compactp{T>) = compPp } to where 

compPp t 0 = H 

compPp 1 7 = compPp^compPp } (t — 1)) Vi > 0 

Computing the normal form of the predicates defined in a module M is done 
through a fixed point computation. Note that we compute, for each procedure p, 
a set of binding-time constraints that is larger than p’s normal form, as we are 
interested in the normalised binding-time constraints on all local variables of p. 
The result of the process for a module M is denoted by a function pM : Proc 
2*^U mapping a procedure to a set of normalised binding-time constraints. For 
such a function pM, we denote with /iM|„ the restricted mapping, where for each 
p, piM^fip) C plm{p) and piM^fip) denotes p’s normal form. When the analysis for 
the module M starts, we assume that all procedures defined in other modules 
have been analysed before, the result recorded in a function p/. If they are not, 
pLi is initialised with dynamic for all the output arguments.^ Construction of pM 

^ See [3] for a discussion of how a inter module analysis can cope with cyclic depen- 
dencies between modules. 
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is then defined as a fixed point iteration over an operator Tf^ : {Proc 
{Proc 2®^^) defined as follows: 

Tfi{S) = S \ {(p, N) I (p, N) G S and p defined in M} 

U {(p, compactp{BTCp{S\o))} 

The analysis starts from an initial mapping where each predicate of M is 
mapped onto an empty set of constraints. During each iteration round, the con- 
straints from a procedure’s body are generated and normalised. This process is 
repeated until a fixed point is reached. 

Definition 12. For a module M , the result of constraint generation is the map- 
ping Pm = T w, where Tp'l u is the fixed point of 

T 0 = M/ U {(p, {}) I p € Proc defined in M} 

TpU = T (k - 1)) Wk > 1 



Example 6. Let Mapp denote a module consisting only of the definition of append. 
The result of constraint generation, for the append procedure, is the following 
set of binding-time constraints: 



7(([|]4)) 









((Ol.i)) 



Z2>Yo 



E3>X, 
Es3 > Xq 






Ra > ho 



^0 



^5 >h"0 



It can be proven that the fixed point pM = Tp 'I to is reached after a finite 
number of steps. Informally, since binding-time constraints reflect the data flow 
relations in a well-moded procedure, no circular dependencies exist in the set and 
hence unfolding is finite and results in a finite set of binding-time constraints in 
normal form. New constraints are incorporated in each iteration round, but due 
to monotonicity of compact and the fact that the number of possible binding- 
time constraints is finite for a procedure, the iteration process results in a fixed 
point. 



2.3 Solving the Cconstraint System 

Given a set of binding-time constraints in normal form for a procedure and a 
call pattern of interest for that procedure, it is straightforward to compute the 
binding-time of an occurrence of a variable in that procedure. Let us formally 
define a call pattern ( Callp) for a procedure pjn as & sequence over BT of length 
n. To compute binding-times, we define the function j3 : Proc x Callp x 2^'^ x 
Varpp ^ BT as follows: 

Definition 13. We define (3 : Proc x Callp x 2^<^ x B BT as follows: For a 
program variable X of type tx that is initialised at program point pp, 

(3{p,T:,V,Xpp) = if X = Arg{p)i and input then TVi 
else {((5, static) | S a TPath G tx} 

U {(7 •r],c) I X}>p > c G T>,c £ {static, dynamic} and 
rj a TPath G tj^} 

U {(7 • p, r(p)) I X^p >Yq G p o TPath G t\ and 

T = Trfl 
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Note that computing binding-times using /? is a cheap process, as it merely 
consists of looking up some binding-times from the call pattern and combining 
(subvalues of) these using the least upperbound operator on BT. The resulting 
binding-time is the least dynamic one satisfying the constraints from T>. 

Example 1. Reconsider p-Mapp from Example 6 and the binding-times as depicted 
in Fig. 1. Given the call pattern tt = (t 2, ri, _L), 

l3{app,TT,pMapp,Zo) = {((),stotzc),((([|],l)),stotzc)} 

U {((), static), ((([|], 1)), static)} 
from Zq > Yq 

and I3{p,tt,V,Yo) = {((), stotzc), ((([|], 1)), static)} 

'^ {{{{[\] A)) , dynamic)} 

and I3{p,tt,V,Xo) = {{{), static), {{{[\],l)), dynamic)} 

= {{{), static), ((([|], 1)), dynamic)} = T 2 

In this section, we have described BTA for a first-order subset of Mercury 
as a 2-phase process. The first, and computationally most involved phase - the 
computation of a set of normalised binding-time constraints - is performed in- 
dependent of any call pattern of interest. Hence, this phase needs to be run only 
once for each module; its results can be recorded and used when analysing other 
modules that import this one. It is only the second phase - computing binding- 
times w.r.t. a call pattern - that needs to be repeated for every call and call 
pattern of interest. 

Example 8. Consider a module Mppy, importing the module Mapp and consisting 
of the definition of reverse: rev{list{T) :: in,list{T) :: out)? 

rev{X,R) : - D; 

X [E\Es\,rev{Es,Rs),X' 4= \E],append{Rs,X' ,R). 

When construction pMrev > the constraints for the call to append are renamings of 
PMapp{nppend) (See Example 6) w.r.t. the mapping {X Rs, Y i— > X' , Z i?|: 

r{([\]A)) > Rsi([\l?) R>X' 

resulting (without re-analysing append itself) in the following constraints for 
rev: 



E > R> static 

Es>X X' > static RiillU)) > 



^ In the remaining examples, we associate only one occurrence with each variable and 
leave out the program point subscription in order to ease notation. 
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3 BTA in a Higher-Order Setting 

Mercury is a higher-order language in which closures can be created, passed as 
arguments of predicate calls, and in turn be called themselves. In this section, 
we reconsider the defined BTA in such a higher-order context. 

To deal with the higher-order issues in Mercury, it suffices to extend the defi- 
nition of superhomogeneous form (see Definition 5) with two new kinds of atoms: 
A higher-order unification, X 4= p{V ^ , . . . , V^) with p G Tp and , . . . G 
Var, constructs a closure from a predicate p where V^, . . . ,V^ are the cur- 
ried arguments. Closures are called using a higher-order call . . . , C”) 

where , . . . , C” G Var are the closure’s arguments. To express higher-order 
binding-times, we also consider a higher-order type to be included in the set 
of types {A 4 T). A higher-order type is a type definition of a predicate like 
p{ti, . . . ,tn) with ti G MT. When constructing a type tree, higher-order types 
are considered leaf nodes (the argument types are thus not taken into account 
in the type tree). 

3.1 Closure Information 

The basic problem when analysing a procedure involving higher-order calls, is 
that the control flow in the procedure is determined by the value of the higher- 
order variables. Consequently, without knowing (an approximation of) these 
values, it is impossible to compute meaningful data dependencies between the 
procedure’s variables. Consider the following example: 

Example 9 . The map predicate converts the first list of type T to a new list of 
type T using the predicate provided in the second argument. 

: —pred map{list{T),pred{T,T),list{T)). 

: —mode map{in,in{pred{in,out)),out) is det. 
map{Li,P, Lq) : -Li ^ [], Lq 4= []; 

Li [Ei\Esi], P{Ei, E2),map{Esi, P, Es2), Lq ^ [A2IAS2]. 

In this example, we know from the mode declaration that E\ is input and 
E2 is output from the call to P. To compute a meaningful binding-time for E2 
(and all variables depending on E2), we need to consider the dependencies that 
most likely exist between E2 and E\. Obviously, this requires information on 
the possible closures P can be bound to. Without this information, we can only 
approximate E2’s binding-time by dynamic, resulting in the following constraints 
for map-. 

Lq > static Lq > Es2 > Es2 

El > Esi > Li E2> dynamic 

However, if there is in the module a call to map that binds P for example to the 
predicate rev from above, then we can create a more precise set of constraints for 
map w.r.t. the fact that P = rev, and the call P{E\, E2) can, during constraint 
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generation, be treated as a first-order call rev{Ei, E^), resulting in the following 
extra constraints (which are a renaming from (few), see Example 8): 



E 2 > static 



E. 



((Ol.i)) 



> E 



1 



Normalising and incorporating the constraints for the call to map now results in 
the following set of constraints: 



Ei>L 



((Old)) 

1 



Es\ ^ L\ 



> L 

E 2 > static 



((0].i),([|].i)) 

1 



Lq > static 
^UOld)) > static 



Informally, the constraints on map's output argument Lq express that in the 
least solution, the binding-times of the elements of the output lists will be the 
same as the binding-times of the elements of the input lists. 



3.2 Higher-Order BTA 

The general idea behind performing the analysis in a higher-order setting is to 
associate different sets of constraints to the same predicate, depending on the 
closures occurring in its call pattern. 

To make this information available during BTA, we extend the notion of a 
binding-time to include, for higher-order variables, a set of closures. This set 
approximates the specific closure bound to the variable at runtime. For analysis 
purposes, we denote such a closure with p{t\, . . . ,Tk) where p is a procedure 
and Ti, . . . ,Tfe are binding-times for the curried arguments. The set of all such 
closures is denoted by Clos. In what follows, we extend the necessary definitions 
from Sect. 2. First, we extend the domain B by an explicit bottom element T 
and elements static{S) with S G 2*'*°®. The domain is ordered by the lattice in 
Fig. 2. 



dynamic 




static ? static(S) 




Fig. 2. The ordering on B 



The ordering between elements static(Si) and static{S 2 ) in turn is determined 
by the lattice {2‘'^°®,D}, that is: static{Si) > static{S 2 ) if and only if D 82 - 
Given this notion of B, the definition of a binding-time remains unchanged. 




412 



Wim Vanhoof 



In the higher-order BTA, we associate a set of binding-time constraints to a 
call/call pattern pair and consequently denote the result of analysis by a function 

: Procx Callp i-^- 2^'^ . Like in the first-order case, the entries in contain the 
set of normalised binding-time constraints of the involved procedure/call pattern 
pair and we denote with the restriction of these sets to the procedure’s normal 
form (under the involved call pattern). 

Computing the set of binding-time constraints associated to a procedure p 
w.r.t. call pattern tt requires the normal forms of the procedures called in the 
body oip. Hence, we denote this set with BTC^{pf^), which is defined like BTCp 
in the first-order case, except for the handling of procedure calls. 

Like before, handling a first-order call involves renaming the called predicate’s 
normal form, which now depends on that call’s call pattern. Let q{X ^, . . . , A”) 
denote a call in procedure p’s body at program point pp. The constraints asso- 
ciated with this call are Cp<=(g,(Ti,...,T„))( 9 (A'^, . . . , A”)) where C is defined as in 
Definition 8 and (ri, . . . , r„) denotes the call pattern of the call, which is com- 
puted using the set of binding-time constraints already associated with p and tt: 

\/i-.Ti = /3(p,7r,p=(p,7r), 

Handling a higher-order call . . . , X”) is a bit more complicated. 

First of all, the binding-time of P is computed in the current environment (that 
is, the procedure p and call pattern tt). If this binding-time turns out to be 
dynamic (indicating that P is not bound to a set of closures at specialisation- 
time), the binding-times of the call’s output arguments are simply approximated 
by dynamic, by introducing the following constraints for the call: 

{Xpp > dynamic \ X* is an output argument} 

If, on the other hand, the binding-time of P turns out to be static(S) - S denoting 
the set of closures P can be bound to, the higher-order call can be treated as a 
number of first-order calls (one for each closure in S), and its set of associated 
constraints is the union of the (renamed) normal forms associated to each of the 
derived first-order calls: 



u 



C 



q(Ti,...,Tk)eS 









fc +1 



,X")) 



Note that the involved call pattern {t\, . . . ,Tn) is a combination of the binding- 
times from the closure and the binding-times of the remaining arguments (com- 
puted as in the first-order case). The constraints associated to g((ri, . . . , r„)) are 
renamed with respect to the sequence of variables 



l^p{{pred,l)) p{{pred,k)) J^k+1 



where pdp»'e<i.i)> denotes a new binding-time variable that refers to the j-th 
binding-time from the closure associated to P. 

Example 10. Consider a higher-order call P{L 2 ,L^) and suppose we know that 
P is bound to a closure append(ri) (the append predicate from Example 3 with 
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its first argument curried). This call introduces the following constraints, by 
appropriate renaming of append’s normal form: 

ig > L2 > pi(predA)) 

3.3 Towards Maximum Modularity 

Like in the first-order case, when analysing a module M, we start from an initial 
table /tj, containing the analysis results for the imported modules. We return 
to the issue of modularity further on. An entry for a call and call pattern (p, tt) 
of interest is added to the table, by computing BTCp{pj) resulting in a new 
table in which (empty) entries are added for all call/call pattern pairs for which, 
during computation of the normal form needed to be retrieved but 

was not yet available. The set of normalised binding-times is then (re) computed 
for each entry in the table belonging to a procedure in M, possibly requiring 
to add new entries to the table. This process is repeated until a fixed point is 
reached. 

It is important to note that, when constructing the table, a new entry for p 
w.r.t. call pattern tt should only be created if there is not yet an entry for (p, tt') 
in the table, where tt' is a call pattern of which the higher-order parts (i.e. the 
involved closures) are equal to those of tt. For constraint generation, only these 
higher-order parts are significant, since the set of generated constraints does not 
depend on the first-order parts of the call pattern. 

The analysis of a module starts from (pj, {dynamic, . . . , dynamic)) for every 
exported predicate pi. Using {dynamic , . . . , dynamic) as a call pattern ensures 
that no (higher-order) information from outside the module is assumed and thus 
the result of analysis, can be used when analysing other modules that import 
M . Higher-order information that is local to a module, however, is used if BTA 
deals with higher-order unification. Therefore, we extend the notion of a binding- 
time constraint so that its right-hand side now can include static{p{Y ^ , . . . , U^)), 
as we associate the constraints 

{X > static{p{Y^p^ Y^pJ) \ Y^p^ G init{Y^,pp), Y^p^ G init{Y^,pp)} 

with such a higher-order unification X 4 = p(Y^ , . . . , Y^). The minimal binding- 
time for X satisfying this constraint says that X is bound to a closure created 
from the predicate p and binding-times for Y^, . . . , Y^. 

The right-hand side of such a constraint is ’’constant”, and it can readily be 
used by (3 to compute a binding-time for X. All (3 needs to do is to compute the 
binding-times t\, . . . ,Tk for Y^ , . . . , Y^ (in the same environment) and guarantee 
that if the binding-time for X turns out to be static{S) (by evaluating possibly 
other constraints on A), that the closure p(ri, . . . ,Tk) G S. Note however that 
while such a constraint can be considered to be in normal form (as it can readily 
be used by (3), it can only be considered as part of the normal form of the 
procedure it is part of, if the arguments of the closure construction are arguments 
of that procedure. If not, such a constraint can not be directly renamed into a 
caller’s environment. 
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Consider the following example, defining a predicate lrev{list{list{T)) :: 
in,list{list{T)) :: out) that reverses each of the lists in its first argument: 

lrev{Li, L 2 ) : —P -t= ref, map{Li, P, L 2 ). 

When analysing Irev w.r.t. the call pattern {dynamic, dynamic) , the constraint 
P > static{rev{)) is derived for Irev in a first iteration round. In a next round, 
this constraint is used to derive {dynamic, static{{rev()}), dynamic) as call pat- 
tern for the call to map. If map and rev are defined in the same module as Irev, 
a specific version of the constraints for map is created, leading to the following 
set of normalised constraints for Irev (the constraints with only static in the 
right-hand side are removed): 

Informally, this constraint implies that in the least solution the binding-times 
of the elements of the output lists will be the same as the binding-times of the 
elements of the input lists. Note that this set of constraints is independent of 
the call pattern of Irev, as this does not contain any higher-order information. 

If map and/or rev are defined in a different module (say M'), then there are 
several possibilities to follow. A first one is to rename the constraints associated 
to a version of map w.r.t. a call pattern that is more dynamic. Note that this 
option is always available, as map - being an exported predicate of M' - will at 
least be analysed w.r.t. {dynamic, . . . , dynamic), the result recorded in /ij. While 
correct, this option will not result in useful constraints for predicates using map. 

A more interesting option is to make sure that when analysing M, enough 
information is available such that map can be (re)analysed w.r.t. this new call 
pattern, outside the scope of the earlier analysis of M' . Note that doing so, might 
require to (re)analyse all procedures involving higher-order arguments imported 
by map and other procedures imported therein. Recent work [3] indicates how 
such a call dependent analysis can still be performed on a modular basis, re- 
analysing one module at a time and propagating analysis results - possibly 
triggering reanalysis of other modules, until ’’enough” precision is obtained. 



4 Discussion 

In this work, we have rephrased a BTA for Mercury [16] using constraint nor- 
malisation, an approach that allows - in contrast with our earlier work - to 
perform (a large part of) the analysis on a modular basis. When no higher-order 
control flow is involved, constraint normalisation can be performed one module 
at a time, bottom-up in the module graph. To obtain maximal precision with 
predicates that do involve higher-order flow, it can be necessary to re-analyse 
the predicate with respect to specific closure information in the predicate’s call 
pattern. Dealing with modular programs is mandatory to apply program analy- 
sis tools on real-world programs. Recently, analysis of modular programs gained 
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attention in a logic programming setting. For example, [14] discusses some - 
mainly practical - issues in the analysis of modular programs. 

The current work formalises the ideas presented in [17] and extends the anal- 
ysis to deal with the higher-order concepts of Mercury. In our analysis, closures 
are encapsulated in the notion of a binding-time, and our analysis does not 
require a separate closure analysis. Closure information from the call pattern 
is incorporated during constraint generation and normalisation. The analysis 
is polyvariant in this respect, as different such call patterns result in differ- 
ent constraint sets for the same predicate. Computing concrete binding-times 
is straightforward given binding-times for a predicate’s input arguments, as it 
merely consists of computing the least solution of the predicate’s associated nor- 
mal form. The analysis is also polyvariant in this respect: different call patterns 
result in a different least solution of the same constraint set. 

We are closely collaborating with the Mercury developers in Melbourne to 
implement the described BTA in a version of the Mercury compiler. To that 
extent, the tight interaction between the binding-time analysis and a concrete 
specialiser (ensuring, for example, that binding-times of a call’s output argu- 
ments are treated as dynamic when the specialiser would not unfold the call) 
needs to be modeled. This can be achieved by adding constraints to the system 
that model the conditions under which atoms are evaluated at specialisation- 
time. Topics of further work are to perform some large scale experiments with 
the analysis, and couple it with the partial evaluation mechanisms of the com- 
piler. 
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Abstract 

Guarded logics are fragments of first-order logic, fixed point logic or second-order 
logic in which all quantifiers are relativised by guard formulae in an appropriate 
way. Semantically, this means that such logics can simultaneously refer to a 
collection of elements only if all these elements are ‘close together’ (e.g. coexist 
in some atomic fact). Guarded logics are powerful generalizations of modal logics 
(such as propositional multi-modal logic or the modal ^-calculus) that retain 
and, to a certain extent, explain their good algorithmic and model-theoretic 
properties. 

In this talk, I will survey the recent research on guarded logics. I will also 
present a guarded variant of Datalog, called Datalog LITE, which is semanti- 
cally equivalent to the alternation-free portion of guarded fixed point logic. The 
main focus of the talk will be on model checking (or equivalently, query evalua- 
tion) algorithms for guarded logics. While the complexity of evaluating arbitrary 
guarded fixed point formulae is closely related to the model checking problem for 
the modal ^-calculus (for which no polynomial-time algorithms are known up 
to now), there are interesting fragments that admit efficient, in fact linear time, 
evaluation algorithms. In particular this is the case for the guarded fragment of 
first-order logic and for Datalog LITE. 
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Abstract. The Horn /r-calculus is a formalism extending logic programs by 
specifying for each predicate symbol with which (greatest or least) fix-point se- 
mantics, its denotation has to be computed. When restricted to a particular class 
of logic programs called uniform, the Horn /i-calculus provides a syntactic ex- 
tension for Rabin tree automata. However, it has been shown [1] that the deno- 
tation of the Horn /r-calculus restricted to a uniform program remains a regular 
set of trees and that moreover, the emptiness of the denotation of a predicate p 
is a DEXPTIME-complete problem (in the size of the program). In [3], these re- 
sults have been extended to uniform programs that may contain both existential 
and universal quantifications on the variables occurring in the body of “clauses”: 
considering this extension, the denotation of a program remains a regular set of 
trees, but the best known algorithm for testing the emptiness of the denotation of 
a predicate is doubly-exponential in the size of the program. 

In this paper, we consider uniform logic programs with both kinds of quantifica- 
tion in the body. But we add to the Horn /i-calculus a limitation on the way the 
fix-point semantics is specified for predicates. This restriction is close to the one 
defining the alternation-free fragment of the /i-calculus. Therefore, we name this 
fragment of the Horn /i-calculus the alternation-free fragment. We devise for it 
an algorithm which performs the emptiness test for the denotation of a predicate 
in single-exponential time in the size of the program. 

To obtain this result, we develop a constructive approach based on a new kind 
of tree automata running on finite and infinite trees, called monotonous tree au- 
tomata. These automata are defined by means of a family of finite and complete 
lattices. The acceptance condition for monotonous tree automata is based on the 
ordering relations of the lattices. 



1 Introduction 

The Horn /i-calculus [1] is a formalism extending logic programs by means of fix-point 
operators. In the classical framework of logic programming, the ground ^ semantics 
of a program is usually expressed in terms of a least fix-point computation. However, 
for some different purposes, the semantics related to the greatest fix-point (also called 
reactive semantics) may also be of some interest [11]. The idea of the Horn /x-calculus is 
to integrate this semantical point in the program itself by specifying for each predicate 
symbol whether its semantics has to be computed as a least or a greatest fix-point. 

* In this paper, we consider the semantics of programs over the complete Herbrand base, that is 
atoms built over finite and infinite trees. 

M. Parigot and A. Voronkov (Eds.); LPAR 2000, LNAI 1955, pp. 418^35, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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Semantics for a logic program can alternatively be expressed in terms of ground proof 
trees. A ground atom belongs to the least fix-point semantics if there exists a finite 
ground proof tree rooted hy this atom. Since the number of predicate symbols is finite, 
this finiteness condition over the proof tree can be rephrased as “for any predicate p, 
along every branch, one encounters only finitely many atoms defined with p”. On the 
other hand, an atom belongs to the greatest fix-point semantics if it exists a ground 
(possibly infinite) proof tree rooted by this atom. Thus, in this case predicate symbols 
can occur freely infinitely often in atoms along each branch. The Horn p-calculus cap- 
tures such notions by associating with each predicate symbol a positive integer, called 
priority. An atom is then “accepted” by the program if there exists a proof tree for it 
such that the priorities of predicates in the atoms along each branch satisfy the parity 
condition [7]; the maximal priority occurring infinitely often along each branch is even. 
Roughly speaking, the semantics for predicate symbols with an odd arity is computed 
as a least fix-point and a greatest fix-point is used for predicate symbols with an even 
arity. 

When this Horn /i-calculus is restricted to a class of logic programs called uniform 
programs [8], then its semantics coincide with the notion of regularity d la Rabin [14]: 
the set of grounds atoms accepted by the program is a regular set of trees. This result 
has extended other results concerning the least [108108] and the greatest [2626] fix- 
point semantics for uniform logic programs obtained in the area of set-based analysis. 
Hence, the Horn p-calculus restricted to uniform programs can be viewed as a particular 
technique for performing (set-based) relaxation of the Horn /r-calculus for arbitrary 
programs. 

As we have said above, uniform logic programs are related to set-based analysis; they 
are more specifically connected with some classes of set constraints called the definite 
[9] and the co-definite class [4]. To be fully precise, uniform logic programs corre- 
spond to the definite and the co-definite classes extended with some set description 
called quantified set expressions in [10] and membership expressions in [5656]. Quan- 
tified set expressions (or equivalently, membership expressions) are in fact intentional 
description of sets of the form {a:|if'(a:)}; they are interpreted as the set of all trees 
T which satisfy the given property if', i.e. as the set of trees r such that i?'(t) holds. 
This property S' is presented as an existentially quantified conjunction of atoms. So, 
rephrased in the logic programming framework, such an expression would correspond 
to the clause p{x) ^ 'F{x). In [16181618], the membership expressions have been 
extended by allowing variables to be also universally quantified. The aim of this ex- 
tension was to provide a uniform view of the definite and the co-definite classes of set 
constraints. So, one may wonder whether this extension can be carried over the Horn 
/x-calculus for uniform programs. This would lead to consider “clauses”^ of the from 
p{t) ^ W where the local variables in W (the ones which do not occur in p{t)) can be 
quantified existentially or universally. 

The Horn p-calculus restricted to uniform programs with both quantification kinds in 
the body has been considered by Charatonik, Niwihski and Podelski in [3] for a model- 
checking purpose. It is shown in that paper that this extension preserves the regularity, 

^ The word clause is used here in a not fully proper way: universal quantification on variables 
in the body part leads to formulas that are no longer Horn clauses. 
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in the sense that the denotation of the program is a regular set of trees. Furthermore, 
Charatonik and al. have proposed an algorithm performing the emptiness test for the 
denotation of some predicate; this algorithm runs in douhly-exponential time in the size 
of the program, whereas the best known lower-bound for the complexity of this problem 
is Dexptime. 

As in [3], this paper is based on logic programs for which variables occurring in the 
body of clauses can be quantihed universally or existentially together with a function 
that assigns to predicate symbols a priority (i.e. a natural number). However, we will 
consider only a fragment of this calculus; this fragment is dehned by a syntactic restric- 
tion based on priorities. It is quite similar to the restriction dehning from the /r-calculus 
its alternation-free fragment. Therefore, we call this fragment the alternation-free Horn 
fx-calculus. Roughly speaking the restriction for the alternation-free /i-calculus requires 
that the computation of the semantics of a formula can be achieved layer-by-layer, each 
of those layers representing an homogeneous block of fix-point quantifiers. In a similar 
way, for the alternation-free Horn /i-calculus, the semantics of any predicate p can not 
depend on the semantics of some predicate q having a priority strictly greater than the 
one of p: the denotation of a predicate can not depend on the denotation of predicates 
belonging to upper layers. For this alternation-free fragment, we rephrase its semantics 
by means of fix-point operators based on this idea of layers. 

We show here that for the alternation-free Horn /i-calculus restricted to uniform pro- 
grams with both quantification kinds in bodies, deciding whether the denotation of a 
predicate p is empty (that is, deciding whether there exists a tree r such that p{t) be- 
longs to the denotation of the program) can be achieved in single-exponential time in 
the size of the program improving the result from [3] for this specific fragment. To ob- 
tain this result, we have designed a new kind of tree automaton, called monotonous tree 
automaton. 

Those automata are based on a family of hnite and complete lattices {Si, ^*). A state is 
a tuple of the Sfs. The notion of runs coincides with the classical one but the acceptance 
condition of those runs is based on the family of orderings . . . , ff) on which 
lattices are defined. We show that for a monotonous tree automaton the emptiness of 
the accepted language can be checked in polynomial time in the size of the automaton. 
For a program from the alternation-free Horn /t-calculus {P, Q), we fix a general shape 
of the monotonous automata we have to consider. Then, we design some fix-point op- 
erators defined over those automata that mimic the fix-point semantics of {P, J?). Our 
algorithm yields a monotonous tree automaton that recognizes the semantics of {P, fi). 
The paper is organized as follows: in Section 2, we give the syntactic definition for the 
Horn /i-calculus as well as its semantics in terms of proof trees. We also present there 
the alternation-free fragment together with its alternative semantics in terms of hx- 
points. Section 3 is devoted to the presentation of the generalized uniform programs we 
consider. Those programs allow in projection clauses variables occurring in the body to 
be either universally or existentially quantified. This section settles also the main result 
of this paper that is the emptiness problem for the alternation-free Horn /{-calculus 
when restricted to those so-extended uniform programs is DEXPTiME-complete. The 
rest of the paper that is Section 4 addresses the method we used to obtain this result: we 
present there monotonous tree automata and give some basic results about them like the 
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regularity of the recognized language and the complexity for the emptiness problem. 
Then, we present an algorithm that given a uniform program from the alternation-free 
Horn /r-calculus computes an equivalent monotonous tree automaton; the semantics of 
program and the language accepted by the automaton coincide. 

Due to lack of space, most of the proofs are not in this paper but can be found in the 
long version [17]. 

2 The Horn ^t-Calculus 

We consider a hnite ranked signature E. We denote T|;, the set of all hnite and inhnite 
trees generated over E. For a tree r, dom{T) will denote its tree domain; for any po- 
sition d in dom{T), r(d) denotes the function symbol from E labeling r at position d 
and T[d] denotes the sub-tree of r rooted at position d. 

We consider also a hnite set of monadic ^ predicate symbols Pred; we will denote HB* , 
the complete Herbrand base generated over Pred and T|,, i.e. the set of all ground atoms 
p(r) withp G Pred and r G T'^. 

For a term f or a hrst-order formula W, Var{t) and ~Var{'I') will denote the set of all 
free variables respectively in t and in S'. Assuming that in the formula 'P, two different 
quantihcations always address two different variables, we denote Varg(if') and Varv(tf') 
the set of all variables that are respectively existentially and universally quantihed in S'. 

2.1 Definitions 

A generalized clause (or simply, a clause in the rest of the paper) is a hrst-order for- 
mula that generalizes Horn clauses by allowing universal quantihcation on the variables 
appearing in the body part of the clause. More formally, a generalized clause is an im- 
plication 

p{t) 4— If' with W ::= p {t') \W /\W \ 3y<I' \ Vy!f' | true 

where t and t' s are hrst-order terms and p, p' belong to Pred. We assume wlog that the 
free variables of the formula must occur in the head of the clause, that is in the term 
t. 

Definition 1. A Horn p-program (P, 17) is given by a set P of generalized clauses and 
a mapping Q from Pred to the set of natural numbers. 

For a predicate p, I7(p) is the priority of p and max(l7(P)) is the maximal priority in 
the range of 17 over the predicates of P. For a clause c, 17(c) denotes the priority of the 
predicate symbol occurring in the head of c. 

The semantics for a Horn ^-program is given by means of ground proof trees. A proof 
tree for a ground atom p(r) is a (possibly) inhnite and inhnitely-branching tree rooted 
in a node labeled by p{t). Moreover, for any node n in the proof tree, labeled by some 
ground atomp'(r'), there exists a clause p'(f) ^ W and a substitution a : Vaift) Tf. 
such that: 

^ For a matter of simplicity, we shall consider only monadic predicate symbols. The notions 
presented in this section extend naturally to predicate symbols with arbitrary arity. 
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- a{p'{t)) =p'(t') and, 

- the sons of the node n are labeled by elements from the set Sons{n,p' {t) ^ '?') in 
such a way that for all elements I in Sons{n,p' {t) ^ ’P), there is exactly one son 
of n labeled by 1. 

This set Sons{n,p' (t) ^ S') is a set of ground atoms and is a minimal model over the 
universe HB* of the formula P under the substitution cr, i.e. Sons{n,p' (t) ^ P), a |= 
P. 

Note that leaves in a proof tree correspond necessarily to the case where the clause used 
to compute Sons{n,p' {t) ^ S') is a fact, i.e. P = true In this case, Sons{n,p' {t) ^ 
\P) is empty. 

For an infinite path tt in a proof tree, we denote Inf{Tr) the set of all priorities that occur 
infinitely often along the path tt. We say that a proof tree accepts the atom p{t) if it is 
rooted in a node labeled by p(r) and for all paths tt starting from the root, the maximal 
element of Inf{Tr) is even. A Horn /r-program (P, 17) accepts a ground atom p(r) if 
there exists a proof tree which accepts the atom p{t). 

We denote |(P, 17)] (resp. |(P, 17), p]) the set of all ground atoms (resp. of all ground 
atoms for the predicate symbol p) accepted by the Horn /x-program (P, 17). 

2.2 The Alternation-Free Fragment of the Horn /x-Calculus 

We give here a syntactic restriction for Horn /i-calculus as we presented it above. This 
restriction limits the dependency on predicates according to their respective priorities. 
We say that a predicate p depends on a predicate q if there exists a clause p{t) ^ W 
such that either q occurs in W or some predicate r occurs in P and r depends on q. 

Definition 2 (Alternation-free Horn /x-calculus). A Horn p-program is said to be 
alternation-free if for any predicates p, q, if p depends on q then the priority of q is 
smaller or equal to the priority of p i.e. 17(g) < I7(p) 

Note that “classical” logic programs with respect to their usual least fix-point semantics 
as well as to their reactive greatest fix-point semantics fall into this alternation-free frag- 
ment: for a logic program P, the least fix-point semantics of P is exactly the denotation 
of the alternation-free Horn /i-program (P, 17/) where 17/ (p) = 1 for any predicate p in 
P whereas the greatest semantics is the denotation of (P, I7g) where Hg{p) = 0 for any 
p in P. 

We give for the alternation-free Horn /i-calculus a semantics in terms of fix-points. This 
latter is however equivalent to the ground proof tree semantics. For simplicity, we will 
assume from now on that the range of the function 17 is an interval over N of the form 
[0 . . .max(l7(P))]. 

Let T(p : HB* HB* be an operator defined for any integer i in the range of 17(P) 
as follows: 



T, 



(P.O) 



(S) 



(5\HB*)U 




there exists p{t) ^ <P in P such that H{p) = * I 
there exists a substitution a : Var{f) T|, > 


1 


1 


such that S,a \= P J 
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where HB* the set of all ground atoms defined for predicates p with priority i. 

Let us consider a set A such that A n HB* = 0 . Now, it is easy to see that La = 
({yl U S' I S' C HB*}, C) is a complete lattice and that T^p is monotonic over this 
lattice. So, by Knaster-Tarski’theorem, T^p admits a least and a greatest fix-points 
over this lattice respectively denoted lfpy^{T^p ) and gfpA(T*^ Q))- 
In order to define the fix-point semantics for some alternation-free Horn /i-program 
{P, 17), we introduce a family f^)) ground atoms for each i in f2(P) as: 

^{p,o) — SfP0{T^p^n)) 

P{p,n) = ('^(P.n ) ) if * is odd 

P{p.n) = SfPpi-^ i^{P,o)) if * is even 

The fix-point semantics of (P, 17) is simply the set FJ^p q) where n is max(l7(P)). 
As claimed earlier, the fix-point and the proof tree semantics coincide as stated in the 
following theorem: 

Theorem 1. Let (P, 17) be an alternation-free Horn u-prosram with f2{P) = [1 . . . nl. 
Then I(P,12)l=P("p ,,). 



Example 1. Let us consider (P, 17), the alternation-free Horn /r-program given by 

{ Po{f{x,y)) ^ Po{x),po{y) po{a) Po(i') I 

Pi{f{x,y)) ^ Pi{x),po{y) pi{a) pi(c) > and for alH, I7(p*) = z. 

P 2 {x) ^3ypi{f{x,y)) Apo{x) ) 

The set F^p is exactly the denotation of the predicate po, that is the set of all ground 
atoms po{t) where r is a finite or an infinite tree built over the binary function symbol 
/ and the two constants a and b. 

The set F^p contains P°p and the denotation of the predicate pi. The denotation 
of this latter is the set of all ground atoms pi(r'); these trees r' consist of a finite left 
backbone of / symbols and terminated either with a or with c. Each of those / symbols 
from the backbone has as right son a finite or infinite tree built over /, a and b. The 
trees r' can be depicted as 



f Pi 

/' V2 

\ 

■■ ^3 

7 p 



where 7 is either a or c and the ’s are finite 
or infinite trees built over /, a and b. 



Finally, the set PfpQ) is the denotation of (P, 17); it contains the set F^p and the 
denotation of p 2 , that is the set of all ground atoms P 2 {t"), where t" is a finite left 
backbone of / terminated with the constant a and each right son of the / symbols from 
the backbone is a finite or infinite tree built over /, a and b. Hence, a tree r" is similar 
to the tree r' depicted above except that for t", 7 is necessarily the constant a. 
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3 Horn /x-Calculus for Uniform Programs 

Uniform logic programs aimed to express the set-based analysis in terms of logic pro- 
grams. They are the basis of the results from [1313] where it is shown that the Horn 
/r-calculus restricted to uniform programs is decidable. In this section, we investigate 
the case of the alternation-free Horn /i-calculus restricted to uniform programs that are 
extended with both existential and universal quantification in the body of clauses. 

Definition 3. A uniform Horn /i-program is given as a pair (P, J?) where 17 is a pri- 
ority function and P is a set of clauses (defined over a set Pred of monadic predicate 
symbols) of the following forms: 



p{f{xi, . . .,Xm)) ^ Pl{xi), ■ ■ ■ ,Pm{Xm) 



p{x) ^ 'P 

where: - P' ::= p'{t') | S' A P | 3yW \ Vytf' | true 

- 'P contains at most x as a free variable, i.e. Var(P) C {a;}. 

The first kind of clause is called automaton clause as a reference the transition rule in 
a classical tree automaton. The second kind is called projection clause. From now on, 
the expression uniform program relates to a program of the form given in Dehnition 3. 

It should be noticed that the alternation-free Horn /x-program given in Example 1 is 
uniform. 

We have already mentioned the regularity aspect of the Horn /x-calculus restricted to 
uniform programs. Actually, this calculus can be viewed as a syntactic extension for the 
definition of Rabin tree automata. It turns out that Rabin tree automata, or to be more 
precise parity tree automata, correspond to uniform programs with clauses of the form 
p{f{xi, . . . , Xm)) ^ Pi(xi), ■ ■ ■ ,Pn{xn)- Additionally, when uniform clauses of the 
formp(a;) ^ q{x), r{x) are considered then those programs correspond to alternating 
parity tree automata [13]. 

As we have said before, we consider only programs based on a restriction of the Horn 
/x-calculus, namely the alternation-free fragment. Therefore, one may wonder whether 
there is an existing class of tree automata for which the alternation-free fragment of the 
Horn /i-calculus restricted to uniform programs is a generalization. 

In [12] Muller and aJ. have introduced the notion of weak-alternating tree automata. 
They are based on a Biichi acceptance condition, that is on a set F such that a run is 
accepted iff for every path, the set of states occurring infinitely often intersects F. The 
main feature of weak-alternating tree automata are the following requirements: 

- there exists a partition {Qq, . . . , Qn) of the set of states Q such that for all i, either 
Qi C F (Qi is said to be accepting) or QiO F = 0 (Qi is said to be rejecting). 

- the partition (Qo, . . . , Qn) is equipped with a partial ordering relation <, 

- and, rephrased in our “uniform program” setting, for every transition rule in the au- 
tomaton p(/(a;i, ..., Pl(xi),...,Pm(Xm) Orp(x) ^ Pi (x) , . . . , Pm(x), 

for every pi, if p belongs to Qj and pi belongs to Qk, then Qk < Qj . 
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The encoding of the weak-alternating tree automata into the alternating-free fragment 
of the Horn /r-calculus is straightforward: it is sufficient to define a priority function 17 
compatible with the ordering < and such that fi{q) is even if q belongs to an accepting 
set Qi and fi{q) is odd otherwise. 

The main result of this paper can be stated as: 

Theorem 2. Let (P, 17) be a uniform and alternation-free Horn ^-program. Deciding 
whether |(P, 17), p] is empty is DEXPTiME-comp/ete. 

The DEXPTiME-hardness follows from [15]. To prove the completeness we develop a 
constructive approach: we consider in the next section a class of tree automata for fi- 
nite and infinite trees, called monotonous tree automata. The main ingredient of these 
automata is a family of finite and complete lattices. States are defined component-wise 
as the product of elements of these lattices. Orderings for lattices are lifted to states 
and then, to runs. The acceptance condition is then expressed in terms of those order- 
ings overs runs. Later on, we will give an algorithm that builds from a uniform and 
alternation-free Horn p-program (P, 17) a monotonous tree automaton A. The basic 
idea is simply that the semantics of {P,H) coincide with the language accepted by A. 
As uniform and alternation-free Horn p-programs extend weak-alternating tree au- 
tomata, our method provides a new technique to check emptiness for those automata. 
Furthermore, emptiness problem for weak-alternating tree automata being Dexptime- 
hard, our method is theoretically optimal. 

4 From Alternation-Free Horn ^t-Programs to Tree Automata 

4.1 Monotonous Tree Automata 

We consider now a special kind of tree automata running on both finite and infinite 
trees. 

Definition 4. A monotonous tree automaton A is a triple {E, where 

5 is a finite signature and (Oi)ie{o,...,fe} a family of complete finite lattices, i.e. each 
of the Oi = {Si, A*) is a complete lattice over a finite set Si. A state in A is a k-tuple 
(so, . . . , Sfe) such each of the sfs belongs to Si. We denote Q the set of all states in 
A We assume each of the orderings ff to be lifted in a component-wise way on states, 
i.e. q ff q' iff for Si, s' the components of respectively q and q' , Si ff s' holds. A 
is a set of transition rules f{q\, . . . ,qn) — > q with qi, . . . ,qn,q in Q and f in E, and 
moreover, 

- A is deterministic: there exists at most one transition rule f{qi, . . . , qn) qfor 
any f, gi,...,q„. 

- A is complete: there exists at least one transition rule f{qi, . . . , q-n) (ifor any 
f, qi,---,qn- 

- the rules from the set A have the monotonicity property.' for any two transition 
rules f{qi, ...,qm)^q and f{q[, ...,q'm) for any integer i in {0, . . . , k}, 

for all j < i and for all I S l..m, qi ff q[, then q A* q'. 
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The rank of the automaton A given above is denoted rank{A) and is equal to k\ we 
denote the family of orderings (^*)i6{o,...,fe}- 

We define for monotonous tree automata a notion of run that actually coincide with the 
classical one: a run r : dom{T) i— > Q for a tree r in an automaton ^ is a mapping 
from the tree domain of r to the set of states of the automaton. Moreover, this mapping 
r satisfies for any position d in dom{T), labeled with a function symbol / (for arity 
to) and having d.l,..,d-m as child positions, that /(r(d.l), . . . , r{d.m)) r(c?) is a 

transition rule of A. 

Note that since a monotonous tree automaton has to be (ascending) deterministic and 
complete, any finite tree r admits a unique run in this automaton. Of course, this prop- 
erty is not true for infinite trees. 

The acceptance condition is based on the family of orderings = (^°,...,^^). We 
first extend each of those orderings over runs as follows: for two runs r and r’ (for a 
tree r), r r’ iff for any position d in the tree domain of r, r(c?) l'’(c?). 

We say that the set of all 0-accepting runs for a tree r is the set of all runs for r. 
Recursively, for 0 < i < /c, we say that r is a (i + 1) -accepting run iff r is a minimal 
(resp. maximal) i-accepting run in the sense of if i is odd (resp. even). 

Definition 5 (Acceptance condition). A run f for the tree t in the automaton A is said 
to be accepting iff is a {k + 1) -accepting run. 

Theorem 3. For all trees r, there exists a unique accepting run for t in A. 

Proof. We consider for any tree t and fori in {0, . . . , fc+1} the setTZf'^ ofi-accepting 
runs for r in A We show that TZq"^ is not empty and that for i in {0, . . . , fc}, 
admits some minimal and maximal elements in the sense offf. Thus, fori in {0, . . . , k-\- 
1}, none of the ’s is empty. Therefore, any tree r has at least one accepting run in 

A. Finally, using the definition of states and of i-acceptance, it is easy to see that 
can be at most a singleton. See [ 1 7] for the details. 

From now on, we denote r-^ the unique accepting run for the tree r in Al. A state q is 
reachable in the automaton A if there exists a tree r such that for the unique accepting 
run 1^, ri^{e) = q. For a state q, we define £{A,q) the language accepted by the 
automaton A in this state q as the set of trees {r G Tf. \ (e) = q}. 

Theorem 4. The language C{A, q) is a regular set of trees. 

Proof. By reduction to SkS (k being the maximal arity in S): for the language C{A, q), 
we construct a SkS -formula such that the full k-ary tree containing a tree r is a 

model ofip^ ijfr € £(A, q). See [17] for the detailed proof. 

Note that the constructive proof for showing the regularity of £{A,q) can easily be 
adapted to show that reachability for a state can be encoded into SkS as well. Unfor- 
tunately, this would provide a quite high-complexity algorithm whereas as stated in the 
next theorem, reachability can be tested efficiently. 

For the automaton A, we define the size of Al as (|(!Jo| x ... x \Ok\y^ , where \Oi\ is 
the cardinality of the lattice Oi and cs is a constant depending only on the signature S. 
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Theorem 5. 

(i) Reachability for a state q can be decided in polynomial time in the size of the 
automaton A. 

(ii) The emptiness of the language C{A^ q) can be decided in polynomial time in the 
size of A. 

Proof. See [17] for the proof of (i). For (ii), checking emptiness for C{A,q) simply 
amounts to check whether the state q is reachable. This can be achieved in polynomial 
time due to (i). 

To conclude this section, let us say a few words about the expressiveness of monotonous 
tree automata. We have shown in Theorem 4 that the accepted language (for a fixed fi- 
nal state, and so, for a finite set of final states) is a Rabin regular tree language. On one 
hand, we will see in the next section how monotonous tree automata can be used to 
accept the same language as the ones defined by a uniform and alternation-free Horn 
/r-program. On the other hand, we have already said that these programs extend weak- 
alternating tree automata; furthermore, it is known that weak-alternating tree automata 
accept exactly languages that can be defined by Biichi tree automata whose comple- 
ment is also a Biichi tree automaton (often denoted as Biichi n co-Biichi). Therefore, 
monotonous tree automata are at least as expressive as Biichi n co-Biichi. It is not yet 
known whether this inclusion is strict or not. 

When one considers only signatures restricted to unary function symbols, then tree 
automata correspond to word automata. In this case, Theorem 4 claims that monotonous 
automata accept languages which are regular sets of words, i.e. w-regular languages. On 
the other hand, it is know that weak-alternating word automata accept also exactly the 
w-regular languages. Hence, when restricted to words (that is, unary function symbols), 
monotonous tree automata accept exactly the regular languages. 

One should also notice that the class of monotonous tree automata is closed under com- 
plementation. For an automaton A whose states are in Q, let us consider F’ C Q a set of 
final states. We define the language C{A, F) as IJ^eF l)- know already that 
this language is a regular set of trees. Due to the uniqueness of the accepting run for any 
tree r, the complement of this language, C{A, F) is simply C{A, Q\F). Hence, given 
a monotonous tree automaton A together with a set of final states F, one can construct 
an automaton recognizing the complemented language in linear time. 

4.2 Fix-Point Operators for Automata 

In this section, we present a construction that given a uniform and alternation-free Horn 
/r-program computes a monotonous tree automaton such that the language recognized 
by the automaton coincides with the semantics of the program. The construction is 
based on an instantiation (depending on the program (P, 17)) of the definition we gave 
for monotonous tree automata in the previous section: to be a little bit more explicit, 
states of these automata will be seen as sets of predicate symbols occurring in {P, 17) 
and the family of orderings defining the acceptance condition will be expressed in terms 
of set inclusions taking the priority of predicates into account. 
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Let us consider (P, J7), a uniform and alternation-free Horn /r-program for which the 
set of predicates is Pred. Pred^ is the set of all predicates in Pred with priority i; 
Predi = {p € Pred | I7(p) = i}. We instantiate the notion of automata given in the 
previous section. This yields a finite family of automata, denoted satisfying: 

- 27 is the set of function symbols over which P is defined, 

- the family of finite and complete lattices is given by Oig{o,...,max(t 2 (p ))}5 where 
for each i, Oi= (p(Predi), C). p(Predi) denotes the set of all subsets of Predp 
A state in these automata is a tuple of sets of predicate symbols such that the 
component is a set that contains only predicate symbols of priority i. The ordering 
of the lattice Oi is simply the inclusion relation. 

For convenience, we will regard a state simply as a unique set of predicate symbols. 
Since components of a tuple representing a state are pair-wise disjoint, the set of all 
predicate symbols occurring in a tuple corresponds to a unique state and vice-versa. 
This view simply imposes that for the family of orderings . . . , A”), each ordering 
as to be defined as: q q' iff q n Predi C q' n Predi for any states g, q' viewed as 
sets of predicates. 

The construction is defined for this instantiation by means of fix-point operators tran- 
forming an automaton from into another one. These operators are defined for 

each clause: the definition of an operator depends on the priority of the predicate occur- 
ring in the head and the nature (“automaton”/“projection”) of its clause. 

Let us first sketch the basic idea of our approach: the semantics for a Horn p-program 
(P, J?) associates with each of its predicates a set of trees. This can be viewed the other 
way round: the semantics can be expressed as a unique mapping C(p,i?) from the set of 
trees to sets of predicates as a kind of characteristic function: for instance, for some tree 
T, could be {p,q] which stands for “bothp(r) and q{r) belong to |(P, 17)] 

and for no other predicate r, r(r) belongs to |(P, 17)]”. 

Note that the mapping defines also for a fixed tree t a unique mapping from the 

tree domain of r to sets of predicate symbols simply by associating to each position 
d in T the value of ■C(P,t2)('''[c^]) (recall that r[fi] denotes the subtree of r at position 
d). Therefore, C(p,i 2) for a fixed tree r is of the same kind as a run for the tree t in a 
monotonous tree automaton from P(p,i 7 ). What we show here is that for C(p,i 7 )> there 
exists a monotonous tree automaton A(^p^o) such that for any tree r, ■C(P,t2) over the 
tree domain of t is exactly the accepting run for r in A(p^q). Furthermore, we give an 
algorithm that computes this automaton -4(p 

We have described so far the shape of the tree automata we have to consider (namely 
the family P(p^i 7 )) and gave briefly the intuition of what the construction should yield. 
We are now going to explicitly formalize this construction. Roughly speaking, this con- 
struction is an alternating fix-point computation that mimics somehow the fix-points 
semantics for alternation-free Horn /r-programs given in Section 2.2. 

To make the link clearer, we need to rephrase the definition for the operators 
in terms of contributions of each clause that is taken into account by this operator. For 
T^®p these clauses will be the ones for which the predicate in their head has priority 
i. Let us denote C* the set of such clauses. Hence, for any set of atoms S, one have 
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TIp,o){S) = U 

cec* 

where is defined as T^p for a program having c as a unique clause. 

Our construction will mimic this rephrased definition: we will define for each priority i, 
an operator Tp over tree automata from J^(p^n) as the “union” of individual operators 
Tpp defined for all clauses with an head of priority i. Thus, as fix-point operators 
introduced for the semantics transform a set of atoms into another set of atoms, the 
operators Tpp and Tp will transform a tree automaton from T[p^n) into another tree 
automaton. 

We start with defining the “union” operator U for monotonous tree automata. 

Definition 6. For A! in iF(p^n) having respectively and Z\^/ as sets of transition 

rules, the monotonous tree automaton AU A! has, as transition rules, the set 

{Ihs ^ qyj <f I Ihs ^ q in Z\^ , Ihs q' in Aj ^/ } 

For each clause c from P we will introduce an operator Tpp : P[p^o) > ^(p,n) ^nd 
we define Tf, the tree automata operator as, 

Tf{A) = □ Tpp{A) 

ceC' 



Now for clauses c from P, the operators Tpp are defined in a generic way by distin- 
guishing clauses according the priority of the predicate in their head and according to 
their nature (automaton vs. projection). 

Let us start with the case where c is an automaton clause. 



Definition 7. Let A be a tree automaton from P(p^o) with as set of transition 
rules. Let c = p{f{x\, . . . , Xm)) ^ Pi{x\), ■ • ■ ,Pm{xm) be an automaton clause from 
P. The operator Tpp is defined according to the parity of f2{p) as 



— if L2(j}) is odd: the tree automaton Tpp{A) has for transition rules the set 
Ihs q € and 

Ihs ^ q' , f g U {p} if Ihs = f{qi ..., qm) and for all i : Pt G qt 
q otherwise 



q = 



— if f2(p) is even: the tree automaton Tpp{A) has for transition rules the set 
Ihs q G Aj^ and 

Ihs ^ q' , f g \ {p} if Ihs ^ /(gi ...,qm)or exists i : Pi G qi 
q otherwise 



q = 
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Defining for projection clauses is more involved and requires some auxiliary no- 
tions. We first point out an algebraic view of monotonous tree automata. The second 
step consists of a formalization of the different processing of quantified and free vari- 
ables in the formulas from the body of clauses we have to consider. 

We consider the finite algebra defined by a monotonous tree automaton A\ the 
carrier of is the set of all states of A and function symbols are interpreted ac- 
cording to transition rules: the function symbol / is interpreted in the algebra A^ by 
a function such that for any tuple of states qi, . . . , Qm, f^^{qi, • • ■ , Qm) = q iff 
/(<7i, . . . , Qm) ^ <7 is a transition rule in A. Note that we use here the fact that A is 
ascending deterministic and complete. 

This algebra A^ can be extended to a unique structure simply by interpreting the 
monadic predicate p from the program as the set of all states that contain this predicate. 
Formally, the semantics of p in is {q G Q \ p G q}. 

The main idea to address projection clauses is to consider this finite structure R^ for 
interpreting formulas in the body of clauses. 

But this very simple and natural idea requires an additional technical point: for a clause 
p{x) ^ we want to interpret the formula in the finite structure of states 

R^. However, for correctness, we have to consider the variable x ranging over arbitrary 
states, whereas for the quantified variables that may occur in iA(x), we must consider 
them as ranging only over reachable states. To model formally this requirement, we will 
introduce a new formula 'I' for each formula S' as follows: 

- if S' is an atomp(t) then W = p{t). 

- if S' = •f'l A i?2 (resp. W — ^i\/ ^2) then A W2 (resp. lA = V <^2)- 

- if tft = tf-' then ^ = 3ypj (y) A 

- if tft = Vy tft' then ^ = \/ypj (y) = 4 > 

The predicate symbol pj is a new predicate symbol. Intuitively, from the Herbrand se- 
mantics point of view, its semantics is the set of all trees. One can imagine this predicate 
defined as Vxpj (x) when Herbrand structures are considered. For any quantified vari- 
able y in the formula W, the corresponding variable y in the formula W will be guarded 
by an atom pj (y). 

As we said above, due to the particular interpretation of pj in Herbrand structure. 

Remark 1. For any Herbrand structure Rhb* defining semantics for the predicate sym- 
bols and such that the semantics of pj is the set of all trees, Rhb* > [s^/t] \='I' {x) holds 
iff Rhb* j [x/t] ^ 'R{x) holds. 

However, things are going to be different in the automaton structure R^ . In this struc- 
ture R^ , we fix the semantics of the predicate pj to the set of all reachable states in A. 
Hence, this will ensure in a formal way that for the formula 'R, one considers quanti- 
fied variables instantiated only with reachable states, whereas the free variable of this 
formula may take arbitrary states for values. 

Definition 8. Let Abe a tree automaton from with as set of transition rules. 

Let c = p{x) <— L'(x) be a projection clause from P. The operator Tp^c is defined 
according to the parity of fi{p) as 
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- if fl{p) is odd: the tree automaton Tjir c(-4) has for transition rules the set 



f 


Ihs ^ q G Aa and \ 


Ihs q' 


II 

C 


if^Adx/q]'r'^{x) 
otherwise ) 



— if f2(p) is even: the tree automaton has for transition rules the set 

Ihs ^ q G and 



Ihs q' 



q 



q \ {p} if^A, [x/q] ^{x) 

q otherwise 



Before carrying on the presentation of our algorithm, it may be worth to clarify a point 
about the operators Tf and We have claim earlier that those operators are defined 
over J-(^p Qy When it is quite clear that, due to their respective definition, Tf and 
associates with an automaton in lF{p^n) a tree automaton defined over the same signa- 
ture and the same set of state which is both (ascending) deterministic and complete, 
the monotonicity property is less straightforward for the resulting automaton. However, 
this is obvious that if the monotonicity property holds for A and A! , then it holds for 
AuA' ■ This is also true for any of the Tp^c operators as claimed in the next proposition 

Proposition 1. Let A be an automaton from lF(p^n)y then both Tp^dA) and Tf{A) 
satisfy the monotonicity property. 



Proof The detailed proof for Tp^c can be found in [17]. Taking into account the defi- 
nition for Tjr in terms o/U yields the proof. 

We have yet introduced all the material needed to describe the algorithm. As we have 
said earlier, this latter simply mimics the computation of the fix-point semantics for 
(P, 17) in terms of tree automata. 

Let us consider an automaton A^ that belongs 1F(^p q) and that we call initial. This 
initial automaton is the one from iF(p^n) having the right-hand side of its transition 
rules equals to a particular state denoted qp^ . This state qp^ is the state satisfying: for 
all predicate symbols p, p G qp^ iff I7(p) is even. 

The family of automata (-4)p n))i&n{p) is given by: 

= {Tp)*{A^) and forO < * 

where {Tf)*{A) is the unique automaton A' for which there exists a least integer m 
such that A! = Tf o ... o Tf{A) and Tf(A') = A! . 

TO times 

The fact that such an integer to exists follows directly from the definitions of Tp^c and 
U and from the definition for the initial automaton A^ . 

The output of the algorithm is the tree automaton A^p where n = max(l7(P)). It 
should be noticed that the computation of 7l"p is not the computation of a model 
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of (P, f?) on a finite algebra (or, finite pre-interpretation): performing the computation 
of a structure (that is, of an interpretation of predicate symbols) over a finite algebra 
would imply that the considered algebra is fixed all along the computation whereas the 
structure evolves. Contrary to this latter, in our approach, the hnite algebra we consider 
changes during the computation according to the automata whereas the structure is hxed 
for a given algebra. 

The correctness of our approach, that is the equivalence between the uniform and 
alternation-free Horn /i-program (P, J2) and the tree automaton A^p can be phra- 
sed as 

Theorem 6. A ground atom p{t) belongs to |(P, 17)] ijf p £ for n = 

max(l7(P)). 

Proof. See [17] for the proof 

Example 2. We illustrate our algorithm with the uniform and alternation-free Horn p- 
program (P, 17) given in Example 1. For conciseness, we identify a tree automaton 
with its set of transition rules and use a meta-representation for states occurring in 
the left-hand sides of transition rules. A state is represented as a pair [A, Y] such that 
A, y C Pred and A n A = 0. The pair [A, Y] represents all states that contain A 
and that do not contain Y. For instance, [{po}) {pi}] represents the states {po} and 
{po,p 2 }. As an extension, the (meta-)transition rule g([{po}, {pi}]) ^ Q represents the 
two transition rules g{{po}) — > q and p({po,P 2 }) — *■ Q- Finally, we simply refer to a 
predicate symbol with its index, i.e. 2 stands forp 2 . 

We compute the family of automata (-4)p j 7 ))ie{o,i, 2 } • The automaton A'^p is equi- 
valent to the denotation of (P, 17) as stated in Theorem 6. 

The initial automaton A^ is given by 

r a ^{0,2} 6 ^{0,2} c^{0,2} 1 

1 5 ([ 0 , 0 ]) ^ { 0 , 2 } /([ 0 , 0 ], [ 0 , 0 ]) ^ { 0 , 2 } / 

For Cl = po(a) and C 2 = Po{b), Tyr^^iiA^) and are equal respectively 





a ^{0,2} 




r a- { 2 } 




6 -{2} 




5 ^{0,2} 


to < 


c-{2} 


> and to < 


c^{2} 




g([0,0])^{2} 




g([0,0])^{2} 




/([0,0],[0,0])^{2}^ 




/([0,0],[0,0])-^{2}^ 



And for C 3 = Po{f{x,y)) ^ po{x),po{y), 

r a ^{2} b^{2} c^{2} 5 ([ 0 , 0 ])^{ 2 } ) 

TAc3(-4^)=^/([{O},0],[{O},0])-{O,2} /([0,{O}],[{O},0])-{2} ) 

{ /([{O},0],[0,{O}])^{2} /([0,{O}],[0,{O}])-{2} J 

So, for T^A^ ) = (.4^ ) U Tr,c, (-4^ ) U we have 

r a^{0,2} 6 ^{0,2} c^{2} g([0, 0]) {2} ) 

{ /([{O},0],[{O},0])-{O,2} /([0,{O}],[{O},0])->{2} ) 

{ /([{O},0],[0,{O}])-{2} /([0,{O}],[0,{O}])-{2} J 
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It is easy to see that T^{T^{A^)) = T^{A^). Therefore, = T^{A^). The 

next computed automaton is then which is equal to 

r {0,1,2} 6^10,2} c^{l,2| 5([0,0])^{2| } 

I /([{O,1},0],[{O},0])-{O,1,2| /([{O},{1}],[{O},0])^{O,2| I 

] /([{I}, {0}], [{0}, 0]) - (1, 2} /([0, (0, 1}], [{0}, 0]) - {2} f 

[ /([{O},0],[0,{O}])-{2} /([0,{O}],[0,{O}])-{2| J 

Once again it is easy to see that Tp(Tp(^°p So, -4jp^^ = 
In this automaton, all the states in the right-hand side of the transition 
rules are reachable (and of course, only those ones): the states {0, 1, 2}, {0, 2}, {1, 2} 
and {2} are reachable since they label the root of the unique (and thus, accepting) run 
for respectively a, b, c and g{a,a). Now, for computing the automaton q-^), 

one has to check for each state q in the right-hand side of transition rules whether, 
in the structure induced by the valuation \x/q\ renders the formula 3y {y G 

T A Pi{f{x,y))) A po{x) true or not. This formula is falsified by any state q which 
doesn’t contain {0}. Hence, by definition of Tj-, Tp{A^p will contain the follow- 
ing (meta-)transition rules 

r c^{ii g([0,0])^0 } 

{ /([{!}, {0}], [{0}, 0]) - {1} /([0, (0, 1}], [{0}, 0]) 0 i 

i /([{O},0],[0,{O}])-0 /([0,{O}],[0,{O}])^0 J 

Now for the other rules, let us start with q — {0, 1, 2} (that is the rules for a and for 
/([{0, 1}, 0], [{0}, 0])).lt is possible to find a reachable state q' such that \x/q, y/q'] 
Pi{f{x, y)). For instance due to the rule /({0, 1, 2}, {0, 1, 2}) — > {0, 1, 2} in A\^p 
whose right-hand side contains 1, the state {0,1,2} is a proper choice for q' . So, 
contains the unchanged rules 

a ^ {0, 1, 2} /([{0, 1}, 0], [{0}, 0]) ^ {0, 1, 2} 

On the other hand, for the remaining rules with {0, 2} as right-hand side, one can check 
that for q = {0, 2}, it is not possible to find a reachable state q' such that [x/q, y/q'] 1= 
Pi{f{x,y)). Therefore, contains the rules 

^-{0} /([{O},{1}],[{O},0])^{O} 

It is easy to check that r|.(r2(^ip_^^)) = T|(-4ip_^)). So, A^p^^^ = 

Let us present the relevant part of the automaton A^p , that is restricted over states 
occurring in the right-hand side of transition rules. 





o^{0,l,2} 


b — > {0} c ^ 


{1} 




5(0) 


^ 0 ff({0}) - 


0 


5({l})-0 


5({O,1,2})^0 




/(0,0) ^ 


0 /(0,{O})- 


0 


/(0,{1})^0 


/(0, {0,1,2}) - 


0 


/({O},0)- 


0 /({0},{0})- 


.{0} 


/({O},{1})^0 


/({0},{0,l,2})- 


-{0} 


/({1},0)- 


0 /({i},{0})- 


-{1} 


/({l},{l})-0 


/({1},{0,1,2})- 


-{1} 




/({O,l,2},0)- 


> 0 


/({0,1,2},{0})- 


-^{0,1,2} 





/({ 0 , 1 , 2 }, { 1 }) ^ 0 /({ 0 , 1 , 2 }, { 0 , 1 , 2 }) ^ { 0 , 1 , 2 } 
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One can notice for this automaton that if a tree r contains one occurrence of the function 
symbol g, then any run r for t will satisfy r(e) = 0. So, r does not belong to the 
denotation of any of the predicates po,Pi and p 2 . 

Now let us consider /‘^ the inhnite binary tree with all its nodes labeled by /. This tree 
/“ admits three runs in A^p The first run ti associates with each node the state 0, 
the second run t 2 the state {0} and the last run the state {0, 1, 2}. ti can not be the 
accepted run since t 2 and ts are greater than ti in the sense of Finally, t 2 is the 
accepted run since it is smaller in the sense of than r^. So, the tree /‘^ belongs to the 
denotation of the predicate po but not to the denotation of pi and p 2 - 
Finally, let us consider the two trees ti and T 2 '. t\ is a finite left backbone of / ter- 
minated with the constant c and each / from the backbone has /“ as right son. The 
tree T 2 is similar to ti except that the backbone ends up with the constant a. Thus, the 
accepted run r-p for ri associates with each node outside of the backbone the state {0} 
and because of the two rules c ^ {1} and /({!}, {0}) ^ {!}, with each node from 
the backbone the state {!}. Therefore, ri belongs only to the denotation of pi. The 
accepted run for T 2 is similar to outside of the backbone and, due to the rules 
a {0, 1, 2} and /({0, 1, 2}, {0}) ^ {0, 1, 2}, associates the state {0, 1, 2} with the 
root of T 2 - Therefore, the tree T 2 belongs to the denotation of po, pi and p 2 - 

The complexity for the construction of A^p can be roughly estimated: the size for 
each automaton in the family is single-exponential in the size of P. Moreover, 

the basic operations Tpp and U can be performed in polynomial time in the size of the 
automaton. Thus, computing Tp can be achieved by a polynomial-time algorithm in 
the size of the automaton. For each step from to , the operator Tp has to 

be iterated. However, taking into account the definition for the basic operations and the 
initial automaton, we can claim that the number of iterations is bounded by a single- 
exponential in the size of P. So, globally, the automaton A^p can be computed with 
an algorithm running in single-exponential time in the size of P. 

By Theorem 6, testing whether |(P, 17) , p] is empty simply amounts to search for reach- 
ability in the automaton 7l"p for a state containing p. Then, by combining the com- 
plexity for the construction of 7l"p and Theorem 5, the result claimed earlier in 
Theorem 2 follows. 
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Abstract. We consider entailment problems in the fluent calculus as 
they arise in reasoning about actions. Taking into account various frag- 
ments of the fluent calculus we formally show decidability results, es- 
tablish their complexity, and prove undecidability results. Thus we draw 
a boundary between decidable and undecidable fragments of the fluent 
calculus. 



1 Introduction 

Intelligent agents need to reason about the state of the world, the actions that 
they can perform and the effects that are achieved by executing actions. To 
elaborate on the question whether there exists a sequence of actions such that 
a given goal can be achieved by executing this sequence in the current state is 
one of the most important tasks an intelligent agent has to perform. From a 
logical point of view this amounts in solving an entailment problem as already 
laid down in [18]. Likewise, many other problems in reasoning about actions can 
be formalized as entailment problems in a suitable logic. 

There is a variety of proposals for reasoning about actions, notably the situ- 
ation [19,16], the fluent [11,30] and the event calculus [13,26], approaches based 
on the linear connection method [1,2], linear logic [8,17], transaction logic [3], 
temporal action logics [4], action languages [7], the features and fluent approach 
[25], etc. We opt for the fluent calculus because it is a logic with standard seman- 
tics and a sound and complete calculus, and many of the problems in reasoning 
about actions like the frame and the ramification problem can be dealt with in a 
representationally as well as computationally adequate way. There are also many 
extensions of the fluent calculus for reasoning about non-deterministic actions 
[31], specificity [10], sensing actions [32], etc., where the fluent calculus is at least 
equivalent and sometimes superior to alternative approaches. 

Central to the fluent calculus is the idea to model world states by multisets 
of fluents and to represent these multisets as so-called state terms using an 
ACl-theory. The use of multisets instead of sets, or, equivalently, the use of 
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an ACl-theory instead of an ACIl-theory allows for an elegant solution of the 
frame problem [9]. Whereas in a multiset of fluents the elements are viewed as 
resources and actions produce and consume resources, one sometimes likes to 
view resources as properties, which do or do not hold in a state. This view can 
be supported in the fluent calculus as well by additionally requiring that each 
fluent occurs at most once in a multiset while retaining the abovementioned 
solution of the frame problem (see e.g. [28]). 

In this paper we are concerned with the question of how the boundary be- 
tween decidable and undecidable fragments of the fluent calculus looks like. To 
answer this question we consider various fragments of the fluent calculus and 
prove that the entailment problems in these fragments are either decidable or 
undecidable. In the former case we are additionally interested in the complexity 
of the decision procedure. In particular, we establish the following results: 

la. We consider a monadic second order fragment of the fluent calculus with 
restricted state update axioms and finitely many fluent constants. The corre- 
sponding entailment problem is shown to be decidable using the decidability 
of Presburger arithmetic and of the monadic second order theory of labeled 
trees. If we additionally assume that fluents may occur at most once in a 
state term then this result corresponds to a similar result achieved for the 
situation calculus in [29]. 

lb. We show that the entailment problem from la. cannot be solved in elemen- 
tary time even if fluents may occur at most once in a state term. This solves 
an open problem posed in [29]. 

l c. We show that the entailment procedure used in la. can be modified to be- 
come elementary, if we consider a first order version of the fluent calculus 
with restricted state update axioms and finitely many fluent constants. 

2a. We consider a first order fragment of the fluent calculus with unrestricted 
state update axioms and finitely many fluent constants. The correspond- 
ing entailment problem is shown to be undecidable by reducing it to the 
acceptance problem of two-counter machines. 

2b. We show that the entailment problem is decidable if we additionally assume 
that fluents may occur at most once in a state term. 

2c. We show that the entailment problem is again undecidable if we additionally 
assume to have two unary function symbols mapping fluents onto fluents. 

The paper is organized as follows. In Section 2 we define the basic structure 
underlying the fluent calculus. The language of the fluent calculus as well as 
the various fragments and entailment problems are specified in Section 3. The 
monadic fragment together with the decidability result and the complexity con- 
siderations are presented in Section 4. The undecidability results are proved in 
Section 5. Finally, a brief discussion of our results in Section 6 concludes this 
paper. 
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2 The Structures 

We consider a two-sorted version of the fluent calculus by understanding the 
fluents as state constants and the actions as functions. So let ACT and fl be 
two flnite sets of actions and ffents , resp. An (act, FL)-structure is a two- 
sorted structure 

M = (siT^, ST^; (dof )aeACT, state^, o^, 0 ^, sf , (F^)f€Fl) 

where do^ : SIT^ ^ SIT^ , : ST^ x ST^ ^ ST^ and state^ : SIT^ ^ 

ST^vc functions, 0 ^, G ST^ and € SIT^ are constants such that 

1 . situations have unique names, i.e. there are no action a G ACT and situation 

s G SIT^ such that do^(s) = , and do^(si) = do^(s2) implies ai = 

02 and Si = S2 for any actions 01,02 G ACT and any situations si,S2 G 
SIT^ , 

2 . any situation is reachable from the initial situation Sj^ , i.e., for all s G SIT^ 
there exist flnite sequences Si G SIT^ and Oi G ACT such that sq = s/ , 
Si+i = do^(si) and s„ = s for some n G N , 

3 . the structure (ST^; o^, 0 ^) is isomorphic to the algebra of flnite multisets 

over | F G fl} and F^ yf for F,Ggfl with F ^ G together 

with multiset union as operation. 

We consider total functions do^ . In other words, in this model any action 
can be executed in any situation. This might contradict the intuition that some 
conditions have to be satisfled to be able to execute a particular action. Indeed, 
one could use partial functions instead which would considerably complicate the 
presentation. So we only remark that all we are doing can be done with partial 
actions, too. Finally, let MS = (ST^; o^, 0 ^, (F^)f 6 Fl) • 

Note that by the first two requirements on the situations and the functions 
do^ , they form an infinite tree. More precisely, write s C s' iff the situation s' 
can be reached from the situation s by finitely many applications of functions 
do^ . Then the first two restrictions ensure that C is a partial order and that 
(siT^vc. jg g, Because any situation is reachable from the initial situation 
in a unique way, we can identify the situation do^ (do^_^ (do^_^ (• • • (s/^) •••))) 
with the word 0102 ... On over the alphabet ACT . In other words, we can always 
assume that the underlying set of situations is the set ACT* of flnite words over 
the alphabet act , that the functions do(^ map w G SIT^ to wa G SIT^ , and 
that the initial situation Sj^ is the empty word e . 

Furthermore, the third requirement (explicitly) ensures that the algebra of 
states ST^ together with the function and the constant 0 ^ is isomorphic 
to the set of flnite multisets over the set fl together with multiset union as 
operation. Therefore, without loss of generality, we can always assume that these 
two sets are equal. 

An (act, FL)-structure will be called canonical tree structure if the set of 
situations equals ACT* , the functions do^ are the extension of the argument 
by the letter a , the initial situation is the empty word, and the set of states 
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is the set of finite multisets over fl (where is the multiset union and 0^ 
denotes the empty multiset). 

3 The Language 

We will use a language that allows to make first order statements on states and 
monadic second order statements on situations. More formally, we have variables 
xi,X 2 ,--- ranging over states as well as finitely many state constants 0, F for 
F G FL that are of sort ST . There are elementary variables si, S 2 , . . . ranging 
over situations and a situation constant s/ that are of sort SIT . In addition, we 
allow set variables S'i,S' 2 ,... ranging over sets of situations. 

Terms of sort ST and SIT are defined in the usual way where terms of sort 
ST use only the constants O^F G fl , the function symbol o and state variables 
Xi . o is assumed to be an AC 1-symbol written infix with 0 being its unit 
element. State formulas are built up from equations of the form ti = t 2 by 
the logical connectives A, V, ^ etc. and quantification over states, where U are 
terms of sort ST. E.g., (dxi) [xi o Fi = X2 A -^{xi = F 2 )] is a state formula 
with one free state variable X 2 ■ 

In many applications, in particular in those where we require that each fluent 
E C FL occurs at most once in a state s , it is convenient to introduce a macro 
holds{F, s) := (3a;) state(s) = F ox . 

Next, we describe what we mean by an instance of the fluent calculus. It 
consists of the finite sets ACT of actions, fl of fluents and T = T/ U of 
axioms of the following form: 

The set T/ .• The set T/ = {(p(state(s/))} describes the initial state and contains 
one axiom where is a state formula with one free variable. E.g., if in a simple 
scenario we have some partial knowledge about the initial state, viz. that an 
agent is known to have three quarters ( (? ), a cookie ( c ) but no tea t then 

Ti = {(3a;) [state(s/) = qoqoqocoxA ^(3a;') x = to x']}. (1) 

The set of state update axioms: For any action a G ACT , we have several 
state update axioms of the form Aa = (Vs) (5a(state(s), state(dOa(s)))) , where 
6a is a state formula with two free variables. A restricted state update axiom 
is a state update axiom Aa as above where 5a is only a Boolean combination 
of formulas <p(state(s)) and (^(state(dOa(s))) , and where (p is a state formula 
with one free variable. E.g., with the help of the axiom 

(3a;) state(s) = qo qo qo x ^ (3a;0 state{dOget_tea{s)) = to x' 

we can describe the preconditions as well as the positive effect of an action 
get-tea, viz. that the agent needs to have three quarters in some situation s in 
order to get a cup of tea. 

If in the instance (act, fl, T) of the fluent calculus each state update axiom 
is restricted, then this is an instance of the restricted ftent calculus . 
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Let Ti , T 2 be terms of sort SIT and tp a state formula with one free state 
variable. Then Ti = T 2 , (^(state(Ti)) and T\ € S are atomic formulas, where 
S' is a set variable. Formulas are built up from atomic formulas by the logical 
connectives A, V, ^ etc. and quantification over situations or sets of situations. 
The satisfaction relation JA\= p between (act, fl) -structures M and monadic 
formulas p is defined canonically. If T is a set of formulas and p \s & formula, 
we write T |= iff for any (act, fl) -structure M , we have JA\= J ^ p . 

Monadic queries: A monadic query is a formula without free variables. This 
query language is quite expressive. E.g., we can express properties like “every 
maximal path in the tree of situations originating in a situation, in which fluent 
Fl holds, contains a situation in which fluent F 2 holds” : 

(Vs, S) [[holds{Fi,s) As e S A (Vsi) (si G S' ^ VaeACT doa(si) G S)] 

^ (3s2)(s2 G S a holds (F 2 ,S 2 ))] 

The monadic entailment problem consists of an instance (act, fl, T) of the 
restricted fluent calculus and a monadic query Q , and is the question, whether 
T ^ Q holds? We are going to show that this problem is decidable, but that it 
is not elementary decidable (i.e. the time complexity cannot be described by a 
function using addition, multiplication, and exponentiation). 

State queries: Formulas of the form (3s) (^(state(s)) , where p is & state formula 
with one free variable, are called state queries. Thus, any state query is a monadic 
query. E.g., (3s) holds (t,s) is a state query asking for a situation s in which 
an agent holds a cup of tea. We will show that the restriction of the monadic 
entailment problem to state queries is decidable in elementary time. 

Unrestricted state update axioms: Recall that restricted state update axioms are 
Boolean combinations of formulas of the form (p(state(s)) and (p(state(dOa(s))) , 
universally quantified over all situations s . E.g., the formula 

(3x) state(s) = qo qo qo x ^ state(dOget.tea(s)) o q o q o q = state(s) o t (2) 

is not a restricted state update axiom because it directly relates a state with its 
successor state. Here, executing the get-tea action results in the consumption of 
three quarters and the production of a cup of tea, whereas all other fluents are 
preserved. We can now answer queries like (3s, a;i) state(s) = to xi\ Using (1) 
and (2) we conclude that (3a;)state(dOget.tea(s/)) = cotox A ^(3x') x = tox' . 
Due to lack of space we cannot give an extrended introduction into the fluent 
calculus and must refer the interested reader to the literature (e.g. [30]). 

We will show that the abovementioned entailment problem is undecidable 
even for state queries if we allow unrestricted state update axioms, but consider 
arbitrary instances of the fluent calculus. However, if we additionally assume 
that each fluent occurs at most once in each state term, then the entailment 
problem consisting of an instance of the fluent calculus and state queries becomes 
decidable. This problem becomes again undecidable, if we allow to define fluents 
with the help of unary function symbols. 
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4 The Monadic Entailment Problem 

4.1 Decidability of the Monadic Entailment Problem 

To show that the monadic entailment problem is decidable, we show that one can 
decide whether there exists an (act, FL)-structure M with M |= T U {^Q} • 
Recall that any (act, FL)-structure is isomorphic to a canonical tree structure 
M . Furthermore, a canonical tree structure over ACT and fl is uniquely given 
by the function state^ that maps words over ACT to finite multisets over 
FL . Note that the range of the function state^ can be infinite, i.e., the set 
{state^(w) I w € SIT^} can contain infinitely many states. The announced 
decidability result relies on the fact that we can reduce this infinite range to a 
finite one. 

Let the size of a formula be its length and k G N he some nonnegative 
integer. Furthermore, let SF^ denote the set of all state formulas of size at 
most k , with one free variable xi and which use at most the variable names 
xi,...,Xk ■ SFfc and its powerset are finite. A set M C SF^ is consistent if 
there exists a state x e ST^ such that MS \= ip(x) for any ip € M . 

Lemma 4.1. There exists an algorithm solving the following problem in time 
0(exp^(c/(/ + fc + c?+ 2)^)) for some constants c and d: Given a finite set fl 
with / = |fl| , an integer k and M C SF^ , is M consistent? 

Proof. The formulas in SF^ are state formulas with one free variable xi . Let 
ip = f\ M . Then one has to decide whether = 3x\p holds in the structure 
MS . One can obviously consider a multiset x G ST^ as a function fl ^ N or, 
equivalently, as a tuple of nonnegative integers x^, ... x-^ , where / = |fl| is the 
number of fluents and x^ denotes the number of occurrences of the i th fluent in 
the multiset x . We inductively define a first order formula tp' in the language 
of the structure (N; +, 0, 1) that is equivalent to : First, let t be a state term 
and let 1 < z < / . If t = E (where Fi is the i th fluent), let t* = 1 , if t = F? 
with z yf j , set t* = 0 , if t = xe is a variable, set T = x\ , and if t = 0 let 
t* = 0 . Furthermore, {t\ ot 2 Y = t\ + t\ . Thus, we have defined a term over the 
signature (+, 0, 1) from a term over the signature (o, 0, fl) . 

Now let a = {t\ = t 2 ) be an equation of two state terms. Then a' = 
Ai<i</(^i = ^ 2 ) ) which is a formula in the language of the structure (N; +, 0, 1) . 
If a = 3x(,(3 is a state formula, let a' = 3x}3x‘j . . . 3xj (3' . Finally, (-’/3)' = 
and {PiO(32Y = where 9 is any binary logical connector. 

One can easily check, and the explanation above should give an intuition, that 
MS 1= z/i iff (N; +, 0, 1) \= ip' ■ By [23], the latter can be checked effectively. 

Next we prove the complexity bound: Let n denote the number of state for- 
mulas in SFfe . Let d denote the number of symbols that can occur in formulas. 
Recall that any state formula in SF^ uses at most the variables xi,...,Xk. 
Hence, f + k + d symbols can occur in a state formula from SF k . Because these 
state formulas have length at most k , we get n < {f + k + d)^ . 

M has at most n elements. Hence, z/> = (3xi) /\M has size 0{kn) . Since 
in the construction of tp' from ip , we have essentially replaced each variable 
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occurrence by / variable occurrences, the formula ip' has length 0{fkn) . By 
[22], the validity of ip' in (N;+,0, 1) can be checked in time exp^{c' fkn) for 
some constant c' . Thus, we obtain an upper bound for the deterministic time 
complexity of exp^(/fcc(/ + k + d)^) = 0(exp^(c(/ + k + d + 2)^)) . □ 

We only gave an upper bound for the complexity of the consistency test. 
The proof of this bound is based on the result by Oppen that the validity of a 
first order formula in (N; +, 0, 1) can be checked in triple exponential time. A 
lower bound for this validity check was proved by Fischer and Rabin [6]: Any 
nondeterministic algorithm needs at least double exponential time. Hence the 
upper bound above can be improved at most by one exponentiation. 

For a state x e ST^ , let Thfc(a;) denote the set of state formulas in SF^ 
that are satisfied by x , i.e., Thfc(a:) = {(^ G SF^ | MS f= (fi(x)} . A set M C SF^ 
is maximally consistent if there exists a state x G ST^ with M = Thfc(a;) . We 
use Lemma 4.1 to show that a maximally consistent superset of a given set 
M C SFfc can be computed effectively: 

Lemma 4.2. There exists an algorithm of elementary time complexity comput- 
ing a function Red with the following property: Given a finite set fl , an integer 
k and M C SF^ it computes a maximally consistent set Redfe(M) containing 
M if M is consistent, and % if M is inconsistent. 

Proof. Let n = [SF^j and / = |fl| . To compute a maximally consistent su- 
perset of M C SFfc , do the following: Let SF^ = {<pi, . . . , and Mi = M . 
For 1 < i < n , set Mi+i = Mi \J {<pi\ if this set is consistent, and Mi+i = Mi 
otherwise. Thus, we have to check the consistency of n sets of state formulas 
from SFfe . Each such test can be done in time 0{exp^{cf{f -F k-\- d-\- 2)^)) by 
Lemma 4.1. In the proof of Lemma 4.1 we showed that n < {k f d)’'^ . Hence, 
the computation of a maximally consistent superset of M can be done in time 
0{{k-F f -F d)^ ■exp^{c{f -F k-F d-\-2)^)) which is elementary in / and k. □ 

The function Red can be used to check consistency. From [6], we obtain a 
minimal nondeterministic time complexity doubly exponential in {f -F k)^ . 

Let M be some canonical tree structure. We define a new function A : 
siT^vc ^ T(SFfe) by X{w) = Thfc(state(w)) = {(p G SF^ | MS |= :^(state^(w))} 
for any w G SIT^ . The structure Thfc(M) = (siT^; (do^)agACT) A) is 
again a labeled tree. But now the labeling assumes only finitely many values, 
namely maximally consistent subsets of SF k . 

Similarly to the structure, we convert formulas: Let ■0 be a monadic for- 
mula. Recall that the building blocks of these formulas are formulas of the form 
:p(state(T)) where (p is a state formula with one free variable and T is a term 
of sort situation. Let fc G N such that any such building block occurring in ip 
belongs to SF^ (since ip is finite, such an integer exists). Now replace any build- 
ing block (^(state(T)) in 0 by G A(T) . The formula G A(T) is equivalent 
to /\\{T) = M where the disjunction runs over all M = Thfc(w) for some 
w G ACT* with If F M . Hence the result Redfc {ip) of these replacement is a 
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formula of the monadic second order logic for labeled trees where the labels are 
maximally consistent subsets of SF^ . 

More formally, we define Redfe (■(/>) by structural induction on ip : li ip = 
(Ti = T 2 ) where T\ and T 2 are situation terms, then Redfc(i/') = (Ti = 
T 2 ) . Similarly, \i p) = {T & S) where T is a term of sort SIT and S' is a 
set variable, we define Redfc('0) = {T G S) . If ip = (^(state(T)) where if is 
a state formula with one free variable and T is a term of sort SIT , we set 
Redfe(i/;) = {ip & A(T)) . For formulas xp\ and -p 2 , a variable Si of sort SIT and 
a set variable Sj , we proceed by setting Redfc(-'i/>i) = ^Redfc(V'i) , Redfe(i/>i A 
V' 2 ) = Redfe('0i) A Redk{ip 2 ) , Redfc((3si) tpi) = (3s*) Redfc(V'i) , and similarly 
Redfe((3S,) lAi) = (3S,) Redfe(i/>i) . 

Lemma 4.3. Let ip he a monadic formula and k G N such that any state 
formula occurring in tp belongs to SF^ . Let Jd be a canonical tree structure. 
Then Jd \= p; iff Thfc(M) \= Redfe(i/>) . 

Proof. The lemma is shown by structural induction on the formula p) . In the 
following, let T\,T 2 be situation terms, S a set variable, and ip a state formula 
with one free variable. Then, for any interpretation of the variables, we obviously 
obtain M ^ (Ti = T 2 ) iff Thfc(M) \= (Ti = T 2 ) since the underlying trees ACT* 
and the functions doa of the two structures coincide. Similarly, M |= (Ti G S) 
iff Thfe(M) \= (Ti G S) . The only nontrivial case is a formula of the form 
(^(state(Ti)) : Let w G ACT* be the situation denoted by the term Ti (under 
the variable interpretation in consideration). Then M \= (p(state(Ti)) iff M |= 
(^(state^(w)) . But this is equivalent to p G A(w) , i.e., to Thfc(M) \= p G A(Ti) . 
Now the induction proceeds straightforwardly. □ 

Note that in the structure Redfc(M) any set A(w) for w G SIT^ is max- 
imally consistent. Next we show that conversely any mapping A that assumes 
only maximally consistent sets stems from some structure Redfc(M) : 

Lemma 4.4. Let k G N and A : ACT* ^ fP(SFfc) with \{w) maximally con- 
sistent for any w G ACT*. Then there exists an { ACT, fl) structure M with 

Thfe(M) ^ (act*; (dOa)aeACT,e, A) . 

Proof. Let w G ACT* and let M = X{w) . M is maximally consistent. The 
consistency of M implies that there exists an a; G ST^ such that MS |= 
ppx) for any p G M . Let state^(w) = x. Since M is maximally consistent, 

we get M = G SFfe | MS |= (^(state^(w))} and, therefore, Thfc(M) = 

(act*; (dOa)aeACT,e, A) . □ 

Now we can describe the decision procedure for the restricted fluent calculus 
and monadic queries: Let (act, fl, T) be an instance of the restricted fluent 
calculus and Q a monadic query. Now proceed as follows: 

Step 1: Compute k G N such that any state formula that is a subformula 
of some formula in T U {^Q} belongs to SF^. 

Step 2: Compute a = Redfc(A 9” A ^Q). 
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Step 3: Compute Sk as the set of maximally consistent subsets of SF^. 

Step 4: Check whether there exists a Iffc-labeled tree T = (act*, doa, £, A) 
such that 7 \= a. 

The first two steps are recursive (take, for instance, the maximal size of a 
formula in T U {^Q} as k). The third step can be performed effectively by 
Lemma 4.1. The decidability of the fourth step, i.e., the existence of a Sk~ 
labeled tree T that satisfies a is Rabin’s Theorem [24]. Thus, we have 
Theorem 4.5. The monadic entailment problem is decidable. 

Remark 4-6. Note that the proof of the theorem above uses the decidability of 
two theories: The first one is the first order theory of the natural numbers with 
addition known as “Presburger arithmetic” in mathematical logic. The second 
decidable theory is the monadic second order theory of labeled trees, known as 
Rabin’s Theorem. We had to investigate the interplay between these two theories 
using ideas going back to [5] and [27] . 

4.2 Complexity of the Monadic Entailment Problem 

We already analyzed the complexity of the function Red that is used in our 
decision procedure (Lemma 4.2). Although it is of pretty high time complexity, 
the most important source of complexity in the monadic entailment problem is 
the fourth step. Using a very simple instance of the fluent calculus, we show 
that the complexity of the monadic entailment problem is non-elementary: So 
let ACT = {a} be a singleton and fl = 0 be the empty set. The (restricted) 
state update axiom Aa is of the trivial form Vs(0 = 0) . There is just one 
(act, fl) - structure, which is isomorphic to N = (N, {0}; +1, o^, 0, 0, ()) . Any 
monadic second order sentence on the structure (N; +1) can be considered as an 
equivalent monadic query for this particular structure. The validity of monadic 
second order sentences in (N; +1) is known to be of non-elementary complexity 
[20] even if one restricts the set quantification to finite sets. Thus, we obtain 

Theorem 4.7. The monadic entailment problem is not elementary decidable. 

4.3 State Queries 

In this section we are going to show that the entailment problem for state queries 
is elementary. Since the source of the non-elementary complexity in our decision 
procedure is its fourth step, we will only alter this one. From the third step we 
know the set Sk of all maximally consistent subsets of SF^ . This set will be 
the vertex set of a directed graph. Before we construct the edges, recall that a 
restricted state update axiom is an axiom Aa of the form (Vs) <5a(s) where 
6a{s) is a Boolean combination of state formulas of the form (^(state(s)) and 
(p(state(dOa(s))) . We may replace state(s) by x\ and state(dOa(s)) by in 
the formula 5a . The result, denoted , is a state formula with two free variables 
x\ and X 2 . Furthermore, let (3s) ^/>(state(s)) denote the state query. Then ip 
is a state formula with one free variable. Now we define a graph in three steps: 
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Step 4.1: Let Vq C be the set of maximally consistent subsets M of SF^ 
with ^ M. 

Step 4.2: Let Eq denote the set of all triples (M, a, N) £ Vq x ACT x Vq for 
which there exist finite multisets X and Y over fl with MS \= 

A r) A ‘p(Y). 

Step 4.3: From the graph (Vbj Eq), erase all vertices M together with all in- 
cident edges (M, b, M') and (M', 6, M) for which there is an action 
a £ ACT, but no fV G SFfe with (M,a,N). Repeat this deletion of 
vertices and edges until any remaining vertex has an a-successor 
for any action a £ ACT. 

Lemma 4.8. Let (act, fl, 9“) be an instance of the restricted fient calculus 
and let Q = (3s) 'ip{sta,te{s)) be a state query. Let (V, E) denote the graph 
obtained from steps 1-3, 4^. 1-4-3. Let (p(state(s/)) be the only element of S'/. 
Then S' ^ Q iff in the graph (V, E) there is a vertex M with ip £ M . 

Proof. Suppose M £ V with ip £ M . Let E' be some subset of E such 
that for any N £ V and a G ACT , there is a unique node N' £ V with 
{N,a,N') £ E' . Now, for any u £ ACT* , there is a unique path in {V,E') 
starting in M with edge label u . Let \{u) denote the target node of this 
path. Then A(u) £ V Q Ek . Hence, by Lemma 4.4, there exists an (act, fl) - 
structure M with Thfe(M) = (act*; (do(J^)a6ACT) £) A) = T. By Lemma 4.3, 
M ^ S' because T \= Redfc(S') . Since \{u) £ V C Vq , there is no node u in 
the structure T satisfying ip £ \{u) . Hence, T does not satisfy (3s) ip £ A(s) . 
But this formula equals Redfc(Q) . Hence, by Lemma 4.3, M |= , i.e.. S' ^ Q 

which proves one implication. 

Conversely, suppose S' ^ Q . Then there exists an (act, FL)-structure M 
with M 1= S' U {^Q} . Let T = (act*; (do)J^)agACT) £, A) = Thfe(M) and define 
Vi = {X{u) I u £ ACT*} . Since M ^ , there is no u £ ACT* with tp £ X{u ) , 

i.e., Vi C Vo . Furthermore, for u £ ACT*, we have (A(u), a, A(ua)) G Eq 
by Lemma 4.3 because M satisfies the state update axioms. Thus, any node 
M £ Vi has at least one a -successor in Vi . This implies Vi C V . But now 
M 1= (p(state(s/)) ensures p £ X(s) . Since M = A(e) belongs to FA C R , we 
showed the second implication, too. □ 

Theorem 4.9. The entailment problem for state queries in the restricted fient 
calculus is elementary decidable. 

Proof. Using Lemma 4.8 we obtain the decidability because all steps are effec- 
tively computable. By Lemma 4.1, the only problematic steps 3 and 4.2 have an 
elementary complexity. □ 

5 The Undecidability of the Unrestricted Fluent Calculus 

Recall that in the unrestricted fluent calculus state update axioms have the form 
(Vs) (^(state(s), state(dOa(s))) . More precisely, we will consider state update 
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axioms of the form (Vs) [t/;(state(s)) ^ state(dOa(s)) o = state(s) o V+] , 
where i9~ and V"*" are ground state terms denoting the direct negative and 
positive effects of action doa respectively. Given an instance (act, fl, 9“) of 
the fluent calculus we are interested in the question whether it entails state 
queries of the form (3s) state(s) = t , where t is a ground state term. This 
problem is shown to be undecidable by reducing it to the undecidable [21,14] 
problem whether a configuration of a two-counter machine is accepted. 

5.1 Two Counter Machines 

For integers i,j with i<j let [z,j] denote the set {i,i + 1, j} . A deter- 
ministic two-counter machine is given by an integer m > 0 and a mapping 

T : [1, to] ^ {+} X {1, 2} X [0, to] U {— } X {1, 2} X [0, to]^. 

In the sequel, let (to, t) be a fixed deterministic two-counter machine. A con- 
figuration is a triple {i,p,q) € [0,to] x . If the machine is in configuration 
{i,p,q) then its successor configuration is 

{j,p 3- 1, q) if r(i) = (3-, 1, j) (increment first counter), 

{j,p — 1, (?) if r(i) = (— , 1, j, k) and p > 0 (decrement first counter), 

(k,p,q) if r{i) = {—,l,j,k) and p = 0 (test first counter), 

Incrementing, decrementing, and testing of the second counter are dealt with 
likewise. Let denote the successor relation on configurations. A configura- 
tion (i,p, (?) is accepted by the machine if, starting from {i,p,q ) , the machine 
eventually reaches the configuration (0, 0, 0) . 

5.2 Encoding Two Counter Machines 

Let ACT = {a} , FL = {cq. Cl, ... , Cm, d,e} , = 0 and = E” o F for 

n > 0 , and do = dOa . Intuitively, the action a denotes one computation step 
in the two-counter machine (to, r) . A configuration (i,p, (?) is encoded into the 
state term aodPoe'^ and, consequently, (0,0,0) is encoded into cqoOoO, which 
is equivalent to cq . The state update axioms encode the successor relation 
of the two-counter machine. To this aim, let consist of the following axioms 
for 1 < f < TO : 

(Vs) [holds{co, s) state(do(s)) = state(s)] 
if r(z) = (-3, 1, j): 

(Vs) [holds{ci, s) ^ state(do(s)) o a = state(s) o do Cj] 
if r(z) = (-, l,j,k): 

(Vs) [holds{ci, s) A holds{d, s) ^ state(do(s)) o ao d = state(s) o cj] 

(Vs) [holds{ci, s) A ~^holds{d, s) ^ state(do(s)) o a = state(s) o Ck] 
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In case t = (+,2,j) or t = {—,2,j,k) we add state update axioms sim- 
ilar to the preceding ones, where each occurrence of d is replaced by e . Re- 
call that holds (F,s) is an abbreviation for the formula (3a;) state(s) = F o 
X . Hence, the state update axioms we have defined are indeed of the form 
(Vs) (5(state(s),state(do(s))) . 

We define a progression operator on states: For t, t' € ST^ we write 
t t' if there exists a state update axiom (Vs) (5(state(s), state(do(s))) G 
with MS ^ . Let denote the transitive and reflexive closure of . 

5.3 Soundness and Completeness of the Encoding 

We start by showing that there is a one-to-one correspondence between the 
successor relation on configurations of two-counter machines and applications 
of the progression operator in the fluent calculus. 

Lemma 5.1. (i,p,q) ^ (i',p',q') iff Ci o d^ o e’^ Ci' o dP o . 

Proof. Suppose (i,p,q) {i' ,p' ,q') . We show a o dP o e'^ Ci' o d^ o 

by case analysis depending on the form of r(f) . If r(z) = (-|-,l,j), we get 
i' = j , p' = p + 1 , and q' = q . Therefore, we And a state update axiom 
(Vs) (5(state(s), state(do(s))) G with i5(a;i,a;2) = ((3a;) x± = xoa xioa = 
X 20 do Cj) . Now let t = Ci o rfP o and t' = cj o o . Then one can easily 
check that MS |= , i.e., that t' . The other cases follow similarly. 

Conversely, suppose Ci o o Cr o rfP o . Again, we distinguish several 
cases depending on t(z) . If t(z) = (-I-, I, j) , then only the state update axiom 
(Vs) <5a(state(s), state(do(s))) G with <5(a;i,a;2) = ((3a;)a;i = xoci ^ x\o 
a = x^odocj) is applicable. Hence, MS \= 5{ciodPoe'^ , Ciiod^ oe'^ ) which implies 
i' = 3 , p' =P+l and q' = q ■ Consequently, {i,p, q) {j,p+ 1, q) = {i',p', q') , 
which concludes this case. The other cases follow similarly. □ 



Theorem 5.2. Let {m,T) he a two-counter machine, (i,p,q) a configuration 
and T = U {state(s/) = CiO dP o e'^} . Then, (i,p,q) is accepted by (jn,T) 
iff 3^ \= (3s) state(s) = cq . 

Proof. Let M be an (act, FL)-structure that satisfies T . Because there is only 
one action, the set of situations of M can be identified with the natural numbers, 
0 being the initial situation and do(^ the successor function. Furthermore, for 
any situation s , we have state^(s) state^(s -1-1) by the definition of the 
state update axioms. Furthermore, state(s/) = CiO dP o e'^ . 

Now remember that (i,p,q) is accepted by {m,T) iff there exists n G N 
with (i,p,q) ^ (0,0,0) . By induction on n using Lemma 5.1 we learn for all 
n G N that {i,p, q) ^ (0, 0, 0) iff Ci o dP o e'^ cq . Thus, {i,p, q) is accepted 
by (m,T) iff M ^ state(s) = cq for some s G ACT* . Because M is the only 
(act, FL)-structure that satisfies T, we conclude that (i,p,q) is accepted iff 
T \= (3s)state(s) = cq . □ 
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5.4 Undecidability and Decidability Results 

From Theorem 5.2 and the fact that there is a deterministic two-counter machine 
for which the set of accepted configurations is not recursive [21,14] we obtain 

Theorem 5.3. The entailment problem in the fient caleulus is undecidable. 

In some applications of the fluent calculus it is preferable to restrict state 
terms such that each fluent occurs at most once in each state term. Formally, 
this can be modeled by requiring that the structure M satisfies the set of axioms 
^mset = { Af€FL state(s) = F o F o x} , where s, x are variables of sort 

SIT and ST respectively. 

Theorem 5.4. Given an instance (act, fl, T) of the fient calculus and a 
monadic query Q , it is decidable whether T U Tmset H Q • 

Proof. Because fl is finite and M |= Tmset the set of states is finite. Conse- 
quently, each state update axiom is equivalent to set of restricted state update 
axioms. The result is obtained by an application of Theorem 4.5. □ 



Remark 5.5. Theorem 5.4 corresponds to a result obtained in [29] for the situa- 
tion calculus. In [29] an open problem is discussed, viz. whether the entailment 
problem is non-elementary. Theorem 4.7 answers this question positively, be- 
cause the proof of Theorem 4.7 remains unchanged even if we require that the 
structure M satisfies Tmset ■ A restricted version of Theorem 5.4 where state 
instead of monadic queries are considered was formally proved in [12]. 

The core of the proof of Theorem 5.3 was the encoding of a counter in a 
multiset x as the number of occurences of d in a; . This encoding is impossible 
if each fluent may occur at most once in a state ( M ^ 3^mset )• If there are two 
unary function symbols fd,fe '■ fl ^ fl , we can encode two counters again 
where, e.g., the value 3 of the first counter is encoded by fd{fd{b)) . Then by a 
proof similar to the one of Theorem 5.3, we obtain: 

Theorem 5.6. Suppose the language contains two unary function symbols from 
FL ^ FL . Then, given an instance (act, fl, T) of the fient calculus and a state 
query Q , it is undecidable whether T U Traset [= Q • 

6 Discussion 

In this paper we have drawn a boundary between decidable und undecidable 
fragments of the fluent calculus by establishing a relation between the fluent 
calculus and known results in logic, complexity and automata theory. 

Independently, it was shown in [15] that the entailment problem in the fluent 
calculus is undecidable by reducing it to an undecidable model checking problem 
in Petri nets. The same paper also describes a decidable first-order fragment of 
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the fluent calculus. In this fragment fluents may occur more than once in a state, 
but syntactic constraints on the state update axioms ensure decidability. 

We have focussed our attention on the core of the fluent calculus. It remains 
to extend the boundary to extensions of the fluent calculus capable of solving 
advanced problems like the ramification problem or of dealing with more complex 
actions like non-deterministic actions or continuous change. 

Acknowledgements: This research was inspired by many discussions within the 
DFG-funded postgraduate programme ( “Graduiertenkolleg” ) Specification of 
Discrete Processes and Systems of Proeesses by Operational Models and Logics 
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Abstract. We develop an abstract partial deduction method capable of 
solving planning problems in the Fluent Calculus. To this end, we extend 
“classical” partial deduction to accommodate both, equational theories 
and regular type information. We show that our new method is actually 
complete for conjunctive planning problems in the propositional Fluent 
Calculus. Furthermore, we believe that our approach can also be used 
for more complex systems, e.g., in cases where completeness can not be 
guaranteed due to general undecidability. 

1 Introduction 

One of the most widely used computational logic based formalism to reason 
about action and change is the situation calculus. In the situation calculus a sit- 
uation of the world is represented by the sequence of actions oi, 02 , . . . , Ofc that 
have been performed since some initial situation sq. Syntactically, a situation 
is represented by a term do{ak, do{ak-i, . • . , do(ai, sq) . . .)). There is no explicit 
representation of what properties hold in any particular situation: this informa- 
tion has to be derived using rules which define which properties are initiated and 
which ones are terminated by any particular action a^. 

The fluent calculus {TC) “extends” the situation calculus by adding explicit 
state representations: every situation is assigned a multi-set of so called fients . 
Every action a not only produces a new situation do{a, . . .) but also modifies this 
multi-set of fluents. This enables the fluent calculus to solve the (representational 
and inferential) frame problem in a simple and elegant way [10]. The fluent 
calculus can also more easily handle partial state descriptions and provides a 
solution to the explanation problem. 

The multi-sets of fluents of IFC are represented using an extended equational 
theory (EUNA, for extended unique name assumptions [11]) with an associ- 
ated extended unification (ACl) which treats o as a commutative and asso- 
ciative function symbol and 1° as the neutral element wrt o (i.e., for any s, 
s o 1° =^c’i 1° o s =ACi s)- Syntactically, the empty multi-set is thus 1° and 
a multi-set of k fluents is thus represented as a term of the form /i o . . . o /^.. 
This allows for a natural encoding of resources (a la linear logic) and it has the 
advantages that adding and removing a fluent / to a multi-set M can be very 
easily expressed using ACl unification: Add =aci M o f and Del o / =^c'i M. 

In this light, the underlying execution mechanism of TC is the so-called 
SLDE-resolution, which extends ordinary SLD by adding support for an under- 
lying equational theory, in this case ACl. An alternative way of implementing 
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TC would be to implement the equational theory as a rewrite system and then 
use narrowing. Unfortunately, both of these approaches are useless for many in- 
teresting applications of TC. For example, both SLDE and narrowing, cannot 
solve the so-called conjunctive planning problem, which consists of finding a plan 
which transforms an initial situation i so as to arrive at a situation which con- 
tains (at least) all the fluents of some goal situation g, e.g. [3]. Indeed, for but 
the most trivial examples, both SLDE and narrowing will loop if no plan exists, 
and will (due to depth-first exploration) often fail to And a plan if one exists. 

Part of the problem is the lack of detection of infinite failure (see [2]), but 
another problem is the incapability of producing a finite representation of in- 
finitely many computed answers. In general, of course, these two problems are 
undecidable and so is the conjunctive planning problem. However, the conjunc- 
tive planning problem is not very different from the so called coverahility problem 
in Petri nets: is it possible to Are a sequence of Petri net transitions so as to 
arrive at a marking which covers some goal marking. This problem is decidable 
(e.g., using the Karp-Miller procedure [12]) and in [13] it has been shown that a 
fragment of the fluent calculus has strong relations to Petri nets. 

So, one might try to apply algorithms from the Petri net theory to TC in 
order to tackle the conjunctive planning problem. However, there is also a logic 
programming based approach which can solve these problems as well and which 
scales up to any extension expressible as a logic program. This approach is thus a 
more natural candidate, as it can not only handle the fragment of TC described 
in [13], but any TC domain which can be represented as a definite logic program, 
(although it will no longer be a decision procedure). Indeed, from [16] we know 
that partial deduction can be successfully applied to solve coverability problems 
of Petri nets. Thus, the idea of this paper is to apply partial deduction to fluent 
calculus specifications in order to decide the conjunctive planning problem for 
an interesting class of TC specifications (and to provide a useful procedure for 
more general TC's). There are several problems that still need to be solved in 
order for this approach to work: 

- TC relies on HCl-uniflcation, but unification under equational theory is not 
directly supported by partial deduction as used in [16] and one would have to 
apply partial deduction to a meta-interpreter implementing HCl-uniflcation. 
Although this is theoretically feasible, this is still problematic in practice for 
efficiency and precision reasons. A more promising approach is to extend 
partial deduction so that it can handle an equational theory. 

- Another problem lies with an inherent limitation of “classical” partial deduc- 
tion, which relies on a rather crude domain for expressing calls: in essence a 
term represents all its instances. This was sufficient for handling Petri nets in 
[16] (where a term such as [0,s(X)] represents all Petri net markings with 
no tokens in place 1 and at least 1 token in place 2), but is not sufficient to 
handle TC whose state expressions are more involved. For example, given a 
TC specification with two fluents /i and / 2 , it is impossible to represent a 
state which has one or more /I’s but no / 2 ’s. Indeed, in “classical” partial 
deduction, a term such as /i o A represents all its instances, and thus also 
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represents states which contain / 2 ’s. To solve this we propose to use so called 
abstract partial deduction [14] with an abstract domain based upon regular 
types [24], and extend it to cope with equational theories. 

Although in this paper we are mainly interested in applying partial deduc- 
tion to the TC based upon ACl, we present the generalised partial deduction 
independently of the particular equational theory. However, the use of this gen- 
eral method in practice relies on an efficient unification procedure. If such a 
procedure can not be provided and/or one wishes to specialise the underlying 
equational theory, other approaches, e.g., based on narrowing [8] [1], should be 
considered. The reason we extend classical partial deduction for SLDE-resolution 
rather than building on top of [1], is that we actually do not wish to modify the 
underlying equational theory. As we will see later in the paper, this leads to a 
simpler theory with simpler correctness results, and also results in a tighter link 
with classical partial deduction used in [16]. This also means that it is more 
straightforward to integrate abstract domains as described in [14] (no abstract 
specialisation exists as of yet for narrowing-based approaches). 

In the remainder of the paper, we thus develop a partial deduction method 
which considers both, equational theories and regular type information. The 
method will then enable us to solve conjunctive planning problems in the simple 
Fluent Calculus. In particular, we show that our method is actually complete for 
conjunctive planning problems in the propositional Fluent Calculus. We believe 
that our approach can also be used for more complex systems, without changing 
much of the algorithm, e.g., in cases where completeness can not be guaranteed 
due to general undecidability. 

2 The Simple Fluent Calculus 

The Fluent Calculus TC is a method for representation and reasoning about 
action and change [10]. In contrast to the Situation Calculus, states of the world 
are represented explicitly by terms of sort St. The solution of the frame problem 
in TC relies heavily on the use of the equational theory ACl which defines {St, o) 
to be a commutative monoid: 

\/{x,y,z : St), {xoy) o z=aciXO {y o z) 

\/{x,y : St).xoy=Aciyox {ACl) 

V(x : St). xol° =ACi X 

The operation o is used to compose states by combining atomic elements, 
called ffents , which represent elementary propositions. Although in general the 
Fluent Calculus can be seen as an extension of the Situation Calculus [23], 
we restrict ourselves here to IFC domains as introduced in [10], since they can 
be represented as definite logic programs. We call such iFC domains simple. In 
simple TC domains actions are defined using the predicate action(C(a;) , A{x) , 
£{x)) where C{x), £{x) are terms of sort St which might depend on variables 
in X and A{x) is a term of sort A which has the parameters x, where the sort 
A represents the actions. Intuitively, executing an action A{x)0 will consume 
the fluents in C{x)9 and produce the fluents in £{x)9. If all fluents appearing in 
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terms of type St in predicates action of a simple IFC domain are constants, we 
call the domain propositional. 

Example 1 . (propositional TC domain) Let Ep be the following propositional 
TC domain with the fluents /i, • ■ • , /s and the actions oi, . . . , oe- 
action(/i,ai ,/2) . actionC/a, 04,72) . 

action(/i,02,/4) • action(/4,05,/5 o /g) . 

action(/2,03,/3 o /a) . actionC/s.oe./a) • ° 

Example 2 . (simple TC domain) Let Eg be the simple TC domain with the 
fluents /i,/4,/5, the actions 02,05,03 as defined for Ep in example 1 and the 
following predicates for ai,a^{X),aj^{X)\ 
action(/i,oi,/2(0)) . 

action(/2,03(X) , fz{foo{X))of^{foo{foo{X)))) . 
actionC/sCX) ,04(X) ,/2(X)) . 

The conjunctive planning problem (CPP) consists of deciding whether there is 
a finite sequence of actions such that its execution in a given initial state leads 
to a state which contains at least, i.e. covers, certain goal properties. The initial 
state and the goal properties are given as conjunctions of fluents, which can be 
represented as terms of sort St. 

In the following, we consider the initial state to be completely known and 
represented by a ground term Stmit of sort St. 

To describe the execution of action sequences, we define the following predi- 
cate which describes all pairs of states, such that the second state can be reached 
from the first state by executing a finite sequence of actions: 
reachable (S', S') . 

reachable (C o y,D action(C,^,if) A reachable (y o if ,T) . 

Note that, in order to keep the representation simple, we do not keep explic- 
itly track of the action sequence. Furthermore, since we propose to use program 
transformation techniques to solve the CPP, we do not encode the goal in the def- 
inition of reachable/2. ^ Also note that, for this interpreter to work correctly, it 
is important that o is treated as a commutative and associative function symbol 
(e.g., {f o g) o h should unify with g oV with unifier {V j f o h}). 

To specify and reason about equalities in a standard logical programming 
environment like Prolog, the particular underlying equational theory (e.g., ACl) 
has to be expressed by appropriate axioms. These axioms often cause trouble, 
e.g., if the solution to a unification problem is infinite, but it has been shown 
that equational theories can be successfully built into the unification procedure 
[20]. To allow a general treatment, SLD-resolution has been extended to SLDE- 
resolution which uses a universal unification procedure based on the proper ties 
common to all equational theories [9,7]. In contrast to other techniques, SLDE- 
resolution allows to cut down the often tremendous search space by merging 
equation solving and standard resolution steps. (Narrowing [8] is an efficient 
approach to solve certain equational theories, and can be integrated as part of 
the unification into SLDE.) 

^ This is in contrast to [10] where containment of goal properties is encoded in the 
program. 
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3 SLDE— Resolution 

Formally, simple Fluent Calculus domains are (definite) E-programs (P,E), i.e. 
logic programs P with an equational theory E, [9,7]. An equational theory E 
is defined as a set of universally closed formulas of the form \/{s=Et) for some 
predicate =e complemented by the standard axioms of equality.^ Consequently, 
if if = 0 we obtain the standard equational theory ^ i.e. only syntactically identical 
terms are considered to be equal. In simple Fluent Calculus domains E is given 
by ACl. Many other equational theories have been investigated, see e.g. [21] for 
a review. 

An E unification problem consists of terms s, t and the question whether 
there exists a substitution a with Dom(cr) C Vars{s) U Vars{t), s.t. sa=Etcr. If 
such a substitution cr exists s and t are called E^nifiable with E unifier a. For 
example, the terms V o a and ao b are ACl-unifiable with {V/b}. 

A term s is an E instance of a term t, denoted s<Et, iff there is a substitution 
cr with s=E<yt. Similarly, 0<e(J, for substitutions 0, cr, iff for all terms s: s9<esu. 

Let UE{s,t) denote the set of all A-unifiers of the terms s and t. Then, 
U C UE{s,t) is called complete if for all 9 G llE{s,t) there exists cr G U and a 
substitution A s.t. Va; G Vars{s) U Vars{t): x9=Exa\. If U is complete and for 
all 0, cr G U, 9<e>J implies 9 = a, then it is called minimal. Correspondingly, an 
unification algorithm is called complete {minimal) if, for arbitrary terms s, t, it 
computes a complete (minimal) set of if-unifiers. 

Note that minimal sets of if-unifiers are always unique if they exist. Hence, 
we denote the minimal if-unifier of s and t by ixUe{s, t). We call a substitution 
in piUE{s,f) a most general E^nifier {mgeu) of s and t. 

Based upon this, one can define the concepts of SLDE-resolution, SLDE- 
derivations, SLDE-refutations and computed answers in the classical way. One 
can also define SLDE-trees, where the only difference with SLD-trees is that 
resolution with a clause can lead to more than one child (as pXJE{s,t) niay 
contain more than one substitution)! 

SLDE-trees are guaranteed to be finitely branching if the equational theory 
E is finitary, i.e. if the complete set of E unifiers UE{s,t) is finite. For example, 
it is well known that the equational theory ACl is finitary. 

In [10] it has been shown that SLDE-resolution is sound and complete for 
CPP in simple PC domains, i.e. every solution of a CPP is entailed by SLDE- 
resolution. However, even for propositional PC domains the SLDE-tree may 
contain infinite derivations and consequently, the search for a plan may not 
terminate. 

Example 3. (Ex. 1 cont’d) If we repeatedly apply the actions 03 and 04 in alter- 
nation, we obtain an infinite derivation: 

reachable ! fr >. , S) 

r- action ! h,A,E) A reachable !l° o A, S') {A/a 3 ,E/ fsofs} 

r- reachable !/3 o /3 , S) 

^ These are reflexivity, symmetry, transitivity and substitutivity for all function and 
predicate symbols, respectively. 
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action ( /a, yl'.L;') A reachable (/a o S' , S') {A' jai^E’ j h} 

reachable (/a o /2 , S) 

action (/ 2 ,A",S") A reachable (/a o S" , S) {A" jai,E'' j 



□ 



To enable for solving the CPP or similar problems despite of potentially 
infinite SLDE-derivations we propose to use partial deduction techniques. To 
this end, we extend the partial deduction method used in [16,15] to fit SLDE- 
resolution. Furthermore, we allow conjuncts to carry additional type information, 
thereby enabling for more precise specialisations. 



4 A Partial Deduction Algorithm for i^—Programs 

The general idea of partial deduction of ordinary logic programs [18] is to con- 
struct, given a query <— Q' of interest, a finite number of finite but possibly in- 
complete SLD-trees which “cover” the possibly infinite SLD-tree for PU{^ Q'} 
(and thus also all SLD-trees for all instances of ^ Q'). The derivation steps in 
these SLD-trees are the computations which have been pre-evaluated and the 
clauses of the specialised program are then extracted by constructing one spe- 
cialised clause (called resultant) per branch. 

While the initial motivation for partial deduction was program specialisation, 
one can also use partial deduction as a top-down ftw analysis of the program 
under consideration. Indeed, partial deduction will unfold the initial query of 
interest until it spots a dangerous growth, at which point it will generalise the 
offending calls and restart the unfolding from the thus obtained more general 
call. Provided a suitably refined control technique is used (e.g., [17,4]), one can 
guarantee termination as well as a precise flow analysis. As was shown in [15] 
such a partial deduction approach is powerful enough to provide a decision pro- 
cedure for coverability problems for (reset) Petri nets and bears resemblance to 
the Karp-Miller procedure [12]. In the context of the CPP, the initial query of 
interest would be reachable (init, goal), where init and goal are the initial 
and the goal state respectively and one would hope to obtain as a result a flow 
analysis from which it is clear whether the CPP has a solution. 

Unfortunately, it has been demonstrated in [15] that “classical” partial de- 
duction techniques may not be precise enough if state descriptions are complex. 
Similar problems occur if states are represented using non-empty equational 
theories, since abstractions just based on the “instance-of” relation and the as- 
sociated most specific generalisation {msg) may be too crude (c.f., also [14]). 



Example 4- (Ex. 1 cont’d) The msg of the atoms reachable (/a o f 3 ,S) and 
reachable (/a o /a o /a , S') is reachable (/a o /a o A , S) . This is quite unsatis- 
factory, as X can represent any term, i.e., also terms containing other fluents 
such as /a. In the context of CPP this means that any action can potentially be 
executed from /a o /a o A, and we have thrown away too much information for 
the generalisation to be useful. For example, if our goal state is /a, we would not 
be able to prove that we cannot solve the CPP from the initial state /a o /s- LI 
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In classical partial deduction there is no way of overcoming this problem, due 
to its inherent limitation that a call must represent all its instances (the same 
holds for narrowing-based partial evaluation [1]). Fortunately, this restriction has 
been lifted, e.g., in the abstract partial deduction framework of [14]. In essence, 
[14] extends partial deduction and conjunctive partial deduction [4] by working 
on abstract conjunctions on which abstract unfolding and abstract resolution 
operations are defined: 

- An abstract conjunction is linked to the concrete domain of “ordinary” con- 

junctions via a concretisation function 7 . In contrast to classical partial 
deduction, 7 can be much more refined than the “instance-of” relation. For 
example, an abstract conjunction can be a couple (Q, t) consisting of a con- 
crete conjunction Q and some type^ information r, and would be 

all the instances of Q which respect the type information r. We could thus 
disallow /4 to be an instance of X in Ex. 4. 

- An abstract unfolding operation maps an abstract conjunction A to a set of 
concrete resultants Hi ^ Bi, which have to be totally correct for all possible 
calls in 7 (A). 

- For each such resultant Hi ^ Bi the abstract resolution will produce an 
abstract conjunction Qi approximating all the possible resolvent goals which 
can occur after resolving an element of 7 (A) with Hi ^ Bi. 

It is to this framework, suitably adapted to cope with SLDE-resolution, 
that we turn to remedy our problems. We will actually only consider abstract 
atoms consisting of a concrete atom together with some type information. The 
latter will be represented by canonical (deterministic) regular unary logic (RUL) 
programs [24,5] . To use a RUL program R in an SLDE-setting it must be ensured 
that every type t defined by R is “E-closed”, i.e. if some term is of type t then 
all E-equivalent terms are of type t as well. 

Definition 1. A canonical regular unary clause is a clause of the form 

to(/(Ai, . . . , A„)) ^ ti(Ai) A . . . t„(A„) 

where n > 0 and X\, . . . , A„ are distinct variables. A canonical regular unary 
logic (RUL) program is a program R where R is a finite set of regular unary 
clauses, in which no two different clause heads have a common instance. 

Let E be an equational theory. R is called E-closed if the least Herbrand 
model of R and the least Herbrand model of {R, E) are identical. 

The set of ground terms r such that R ^ t{r) is denoted by Tuft). A ground 
term r is of type t in R iff r ^ Tn(t). Given a (possibly non-ground) conjunction 
T, we write R \= V(T) ijf for all ground instances T' ofT, RU T'} has an 
SLD refutation. 

So, to solve Ex. 4 one could use the following (E-closed) RUL program, 
representing all states using just the fluent /s, and give the variable X in Ex. 4 
the type t^: 

t3(l°). hih). t3{XoY)^t3{X)At3{Y). 

® A type is simply a decidable set of terms closed under substitution. 
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Given two canonical ffUI^programs R\,R 2 , there exist efficient procedures 
for checking inclusion, computing the intersection and computing an upper 
bound using well known algorithms on corresponding automata [24]. Because 
of our definition, we can simply re-use the first two procedures to efficiently 
decide inclusion and compute the intersection of if-closed RUL programs. Fur- 
thermore, the intersection of two if-closed RUL programs is an if-closed RUL 
program. Given two RUL programs R\, i ?2 and two types ti, t 2 , we will denote 
by (Ri,ti) n {R 2 U 2 ) the couple (RsUa) obtained by the latter procedure (i.e., 
we have = Tji-^(ti) n TR^{t 2 )). We will not make use of the upper bound 

and provide our own generalization mechanism. 

Given some RUL program R, a type conjunction (in R) is simply a con- 
junction of the form ti{Xi) A ... A where all the Xi are variables (not 

necessarily distinct) and all the ti are defined in R. We also define the notation 
typesrp[X) = {tj I tj{X) e T} (where we allow G to be applied to conjunctions). 
E.g., typeSi(x)At'(z){Z) = {t'}. 

We now define the abstract domain used to instantiate the framework of [14] : 

Definition 2. We define the RULE domain (AQ,a,E) to consist of an equa- 
tional theory E, abstract conjunctions of the form {Q,T,R) G AQ where Q is 
a concrete conjunction, R an E-closed RUL program, and T a type conjunction 
in R such that T = ti{Xi) A . . . t„(X„), where Vars{Q) = {Xi, . . . , X„}.^ The 
concretisation function 7 is defined by: 'y{{Q,T, R)) = {Q9 \ R \= V(T0)}. 

We now define simplification and projection operations for type conjunctions. 
This will allow us to apply substitutions to abstract conjunctions as well as 
to define an (abstract) unfolding operation. As the above definition requires 
every variable to have exactly one type, the type of a variable Z occurring in a 
substitution such as {A/Z, F/Z} has to be determined by type intersection. 

Definition 3. Let R be some RUL program. The relation which maps type 
conjunctions to type conjunctions is defined as follows: 

- ti At 2 '^R Si A S 2 if ti '^R Si, t 2 '^R S 2 , Si yf fail, and S 2 fail 

- t{X) '^R t{X) if X is a variable 

- t{c) '^R true if c is a constant with c G TR{t) 

- t(/(ri, . . . ,r„)) Si A . . . A s„ if t(/(Ai, . . . , A„)) ^ G(Ai) A . . . A 
tn{X„) G R and tj(r*) '^r s* 

- t{r) '^R fail otherwise 

We define a projection which projects a type conjunction T in the context of a 
RUL program on a concrete conjunction Q, resulting in new abstract conjunction: 
proj{Q,T, R) = {Q, S' , R') , where T '^r S and 

- S' = S, R' = (b if S = fail or Vars{Q) = 0, 

-otherwise S' = ti(Ai) A . . . A t„(A„) where Vars(Q) = {Ai,...,A„}, 
types s(Xi) = {tjj, . . . (Ri,U) = {R,Uj (1 . . . n {R,U,^). In this case 

R! = Ri\J...\JRn. 

^ Note that when writing, e.g., Vars{Q) = {Xi, . . . , Xn} all Xi are assumed to be 
distinct. 
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We now define applying substitutions on abstract conjunctions: {Q,T,R)9 = 
proj{Q0,T, R). 

For example, using the RUL program R above, we have ts^fs o Z o Z) 
true A t 3 {Z) A tz{Z). We would thus have for 9 = {X/{fz o Z o Z)j that 
(p(X), ts(X), R}9 = {p{h o ^ o Z)MZ), R). 

To extend the notion of instantiation preorder to abstract conjunctions the 
subset relation between types has to be considered: 

Definition 4. Let A = {Q,T,R), A' = {Q',T',R') be abstract conjunctions in 
the RULE domain {AQ,^, E) . We call A a RULE-instance of A, denoted by 
A' <RULE A iff 

1. there exists a substitution 9 such that A9 = {Q' ,T" , R") and 

2. for all X G Vars(Q') with typesj^i(X) = {t'} and typesrpifiX) = {t”}, we 
have TR>{t') C TR»{t''). 

We define <rule and =rule accordingly. 

In the above example, {p{fz o Z o Z)fiz{Z),R) <rule {p{X),ti{X),R). 

Definition 5. An unfolding rule is a function which, given a definite E^rogram 
{P, E) and a goal ^ Q, returns a non-triviafi’ and possibly incomplete SLDEAree 
for (P,E) and ^ Q. 

Let T be a finite (possibly incomplete) SLDEAree for (P,E), ^ Q. Let 
^ Gm be the goals in the leaves of the non-failing branches of t. 

Let 9i, . . . ,9n be the computed answer substitutions of the SLDE-derivations 
from ^ Q to ^ Gi, . . . G„, respectively. Then the set o/ SLDE-resultants, 

resultants (t) , is defined to be the set of clauses {Q9i ^ G\, . . . , Q9n ^ G„}. 

We can now define an abstract unfolding and an abstract resolution in the 
RULE domain. When a conjunction of the RULE domain is unfolded, the in- 
formation concerning the types of variables can be used to reduce the number 
of resultants. Additionally, we will use Def. 3 to determine the types of leaf 
conjunctions. 

Definition 6. Let {P,E) be a definite E^rogram, {Q,T,R) an abstract con- 
junction in the RULE domain {AQ,^,E), U an unfolding rule. We define the 
abstract unfolding and resolution operations aunf {.) , ares {.) as follows: 

- aunf {{Q, T, R))= {Q9 ^ B \ Q9 ^ B G resultants (U (Q)) A T9 'firR fail} 

- ares {{Q,T, R)) = {proj{B,T9,R) \ Q9 ^ B G aunf{{Q,T,R))} 

The following is a generic algorithm for abstract partial deduction, which 
structures the abstract conjunctions to be specialised in a global tree (see, e.g., 
[17]), and is parametrised by a covering test covered, a whistle detecting poten- 
tial infinite loops, an a generalisation operation abstract and a function partition 
to separate conjunctions into sub-conjunctions. 

A trivial SLDE-tree has a single node where no literal has been selected for resoln- 
tion. 
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Algorithm 4.1 {generic partial deduction algorithm) 

Input: a definite _B-program (P,E), an abstract conjunction A in {AQ,y, E). 
Output: a set of abstract conjunctions A, a specialised program P, a global tree A 
Initialisation: A a “global” tree with a single unmarked node, labelled by A 

repeat 

pick an unmarked or abstracted leaf node L in A 
if covered (L, A) then mark L as processed 
else 

if whistle{L, A) = T then 
mark L as abstracted 
label(L) := abstract{L, X) 
else 

mark L as processed 
for all A € ares {label (L)) do 
for all A! e partition {A) do 
add a new unmarked child C of L to A 
label{C) ■- A' 

until all nodes are processed 

output A := {lahel{A) \ A G A}, P := {aunf{A) \ A G A}, and A 

Algorithm 4.2 (a partial deduction algorithm for the Fluent Calculus) We 
define a particular instance of the above algorithm as follows: 

Unfolding used by aunf{.) \ Let {Q, T, R) be an abstract conjunction in the RULE 
domain and {P, E) be a definite if-program. We define U{Q) to be the maximal 
SLD E-tree t such that every predicate p is selected at most once in every branch 
of r. 

covered Let L be a node labelled by an abstract conjunction in the RULE domain 
{AQ, 7 , E) and A a tree labeled by elements of AQ. Then we define covered{L, A) 
as true iff there is an ancestor L' of L such that label{L') =rule label{L). 

whistle We extend the well-established homeomorphic embedding relation [22], 
to take regular types and the ACl equational theory into account. To simplify 
the presentation, we use o as a variable arity functor to represent terms of sort 
St and disallow the use of 1° and nesting of o (e.g., we represent ao{{bo 1°) oc) 
by o(a, b, c) and 1° o 1° by o()). 

Definition 7. Let A = {Q,T, R), A' = {Q',T',R') be abstract conjunctions in 
the RULE domain {AQ,^,E). For the purposes of this definition we suppose 
that A is handled by E as an associative and commutative function symbol. We 
say that A is homeomorphically embedded in A' , A<eA', iff Q<eQ' where <e 
on expressions is inductively defined as follows: 

1. X <eX if X, Y variables with Tn{typesE{X)) C tr' { types e'{Y)) 

2. r <E Y for all variables Y and ground terms r, with r G TR{typesrp'{Y)) 

3. r <E f{si, ■ • ■ , Sn) if f ^ ° and r <e Si for some 1 < z < n 

4- f{ri, . . . ,r„) /(si, ...,s„) z// yf o and Vz G {1, . . . , rz} : r* <e Si- 

5. o(ri, . . . , rm) o(sij • ■ • j Sn) if there exists a permutation s^, . . . , s'„ of 
s\, . . . ,Sn such that Vz G {1, . . . , m} : Vi <e s{. 
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Note that for point 3. we may have n = 0, and for point 5. m,n can be 0. 
Intuitively, s <e t, means that we can obtain s from t by “striking out” certain 
sub-terms and by using the equational theory to re-write s and t. E.g., we have 
/(O) o g <E g o ho /(s(0)). In general, of course, <e will be quite expensive to 
compute ([19]). However, one can introduce a lot of optimisations to obtain an 
efficient implementation (sorting fluents and defining a normal form for terms; 
one can also always use the classical homeomorphic embedding which ignores 

E)- 

The homeomorphic relation is a well-quasi order (provided C is a well-quasi 
order on the possible regular types of variables; see below) and can thus be used 
to ensure termination of program specialisation techniques [22]. We use <e as 
follows. Let L be a node labelled by an abstract conjunction in the RULE domain 
{AQ, 7 , E) and A a tree labeled by elements of AQ. We define whistle^,^{L, A) = 
T iff L is not marked as abstracted and there is an ancestor L' of L such that 
label(L') <e label{L). 

abstract To ensure that abstractions of types may occur only finitely often, we 
require the use of a well founded type system. 

Definition 8. Let E be an equational theory and T a set of tuples (i?, t) where 
R is a RUL program and t a predicate defined in R. We call T a well founded 
type system iff there is no infinite sequence (i?i, ti), (i? 2 j ^ 2 ), • • ■ of elements of 
T such that TtfiRi) C Ttij^fiRi+i) for all i > 1. 

Definition 9. Let E be an equational theory, T be a well-founded type system 
and A a set of abstract conjunctions in {AQ,^,E). The abstract conjunction 
M = {Q, T, R) is called a RHLE-generalisation of A wrt T iff 

1. for all t{X) G T we have (t,R) € T, 

2. for all A G A, A "Ereile M . 

Furthermore, M is called a most specific RULE-generalisation of A wrt T , 
denoted by M G msgr{A), iff there exists no M' such that conditions 1, 2 
hold for M' and M' <rule M . 

For example, A = {{f true, lb), (/s o /a, true, 0)} and using the single type 
defined by the RUL program for t^ we get msgriA) = {{fso X,t 3 {X),R)}. 

Again, for other equational theories than (ACl) and more complicated type 
systems a most specific generalisation might be difficult to compute (and may not 
be unique). To accelerate convergence (and to simplify our completeness proof 
for CPP later on), we actually choose an element M' = (Q,T,R) of msgr{A) 
and then remove the maximum number of subterms from Q so that the resulting 
abstract conjunction is still more general than M' (in the sense of <rjjle)- We 
will denote the result by nmsgr (Al) . For example, we would instead of using M' 
= (/s o A, t^{X), R) use the more general nmsgr{A) = {X, tz{X),R). This loses 
some precision, but convergence is accelerated, and actually no vital information 
for the CPP is lost! 

Let L be a node labelled by an abstract conjunction in the RULE domain 
{AQ, 7 , E) and A a tree labeled by elements of AQ. Let £ denote the set of all 
ancestors of L in A such that L' G £ iS label(L') <e label{L). Furthermore, let 
A denote the set of labels of £. Then we define abstract{L, A) = nmsgr{A). 
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partition Let A = (Q,T,R) be an abstract conjunction in (AQ,j,E) and T a 
well-founded type system. We define partition(A) = atoms(jimsgT{{A})). 



Example 5. (Ex. 1 cont’d) Additionally to the actions of Ex. 1 and the domain 
independent reachable/2, let the initial state be defined as Stinit = fi- 

In this example every abstract conjunction C G AQ will be of the form 
(reachable (m,u), T, i?) where v = o . . . o V/^ and VI < i < 5 : tf^{Vf^) G 
T (representing that /i ,---,/5 may occur arbitrarily often in the final state). 
Furthermore, u is of sort St where U G Vars(u) 31 < t < 5 s.t. tf^{U) G T. 
Finally, R consists of predicates (t/J for each fiuent fp 

tf,{XoY)^tf,{X)Atf,{Y). 



We define the type system as T = {{R,tfi) I 1 < * < 5}. Then, the fol- 
lowing tree is generated by our partial deduction algorithm with input Ep and 
initial abstract conjunction (reachable (b'tinit , V/j o . . . o Vf^), {tf^{Vf-^) A ... A 

riifi,v) 



as 

a4 ^ 

R\a{U f^oU 

a 



“3 I 

rioifsofs^A 

rii{f2oUf^,v) 






ri3iUf^oUf^,v) 

u 



rsifiA 

I “5 

r5ih°h,v) 

reifioUf^ ,v) 



r8{Uf^oUf^,v) 

a 



r7{Uf^,v) 

rg(Uf^oUf^,v) 

a 



To simplify the picture the RUL programs and type conjunctions have not been 
represented. The RUL programs do not change in this example and the type 
information has been depicted as follows: v represents Vf^ o . . . o Vf^ and the type 
conjunction Tj for each node Tj{u,v) contains atoms tf.{VfJ, i = 1,...,5, and 
tf^{Uf^) if they are used, tf^ is defined by the corresponding RUL program {tf^). 
Finally, rj(u,v) is the jth node with label (reachable (u,u), Tj, i?). 

For example, we can conclude from the tree that every fiuent can be generated 
arbitrarily often. But, e.g., it is impossible to reach a state containing both, /2 
and / 4 . □ 



Example 6. (Ex. 2 cont’d) Additionally to the actions defined in Ex. 2 and the 
domain independent reachable/2, let the initial state be defined as Stinit = /i- 
In this example every abstract conjunction C G AQ will be of the form 
(reachable (u,v),T,R) where again v = Vf^ o ... o Vf^ and t f^ (V /. ) G T. Also, 
u is of sort St where for all U G Vars{u) either 31 < z < 5 s.t. tf^{U) G T or 
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tfoo{U) GT. R contains {tf^) of Ex. 5 for i = 1,4,5, and for i = 2,3 and tfoo, 
respectively: 



tfoo(O). 

tf.CMX)) -.-tfooiX). tfoo(fooiX)) :-tfoo(X) . 

tfSYoX) tf,(X). 



We define the type system T = \ 1 < z < 5} U {{R,tfoo)}- Then, the 

following tree is generated by our partial deduction algorithm with input Sg and 
initial abstract conjunction (reachable (b'tinit , V/j o . . . o E/^), {t/i(h/j) A ... A 



riifi,v) 




■r^if 2(0), v) 



r3(f4,v) 



03(0) I 

rio(/3(/oo(0))o/3(/oo(/oo(0))),'u) 



1^5 

r5ih°h,v) 



a 4 (/oo( 0 ))| 



I 



aQ 



Tll(h(Usoo)oUf,^,v) 
O-iiYfoo)^ ^~^ 4 (Zfoo) 



Tl2(Uf^,v) 

a4(Yf„,)\ 

ri4(Uf^oUf,^,v) 

a 



ri3(Uf^oUf,^,v) 

u 

a 3 (Yfoo),a 4 (Zfoo) 



rs(f40Uf^,v) 
aQ ^ \ as 



rs(Uf^oUf^,v) 

u 



r7(Uf^,v) 

^ Zg 

rg(Uf^oUf^,v) 

a 



a3(Yf„o),a4(Zf„„) “5.ag 

Again, to simplify the picture the RUL programs and type conjunctions have 
not been represented. RUL programs do not change in this example and the 
type information has been depicted as follows: v represents V/j o . . . o and the 
type conjunction Tj for each node Tj{u,v) contains atoms z = 1, . . . ,5, 

and tf.{Uf^), tfooiUfoo) if they are used, tfoo is defined by the correspond- 
ing RUL programs (t/J and (tfoo)- Finally, rj{u,v) is the jth node with label 
(reachable (u,v),Tj, R). 

For example, we can conclude from the tree that it is possible to generate 
a state containing arbitrary many instances of the fluent / 2 . But we cannot 
conclude whether we can generate a state containing arbitrary many copies of 
one particular instance of f 2 - n 



5 Completeness wrt. J-CpL 

In [13] it has been shown that Petri net algorithms can be used to decide tempo- 
ral properties of propositional Fluent Calculus domains. In particular, to every 
propositional TC domain with completely defined initial state exists a bisimilar 
Petri net. Furthermore, the conjunctive planning problem for the propositional 
TC can be expressed as a formula in the temporal logic CTL {CTL respects 
bisimulation). The same formula is known to describe coverability properties of 
Petri nets. Coverability problems can be decided using the Karp-Miller tree [12]. 
This tree can also be generated by the partial deduction algorithm 4.1 using 
the instantiations of section 4. By doing so, we show that the proposed partial 
deduction method is complete wrt. conjunctive planning problems. 
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Theorem 1. Let S he a propositional TC domain, As the RULE domain de- 
fined as in example 5 and Stmit some ground term of sort St. Then the partial de- 
duction algorithm applied to S, As and A = {rea.cha.hle ( Stmit . Vfi o ... o Vf„ ) , 
{t/j (V/i ) A . . . A (V/„)}, i?) will produce a global tree A which is isomorphic to 
a Karp-Miller coverahility tree of the corresponding Petri net II. 

6 Conclusion 

We have presented a generic and a more specific abstract partial deduction 
method for equational logic programs, based upon an abstract domain with reg- 
ular types. This is one of the first full instantiations of the framework in [14] 
(see also the independently developed [6]). The main motivation was to obtain 
a useful method for tackling the conjunctive planning problem in the fluent cal- 
culus, stimulated by earlier success of partial deduction for solving coverability 
problems in the Petri net area. We were able to prove that our more specific 
method is a decision procedure for the conjunctive planning problem in the 
propositional fluent calculus. However, the method can also be applied to more 
expressive fragments of the fluent calculus or extended to cope with other for- 
malisms such as process algebras (where, contrary to Petri nets, type information 
is also vital), and we believe that it will be able to provide useful results in that 
setting. Finally, the methods can of course also be used to specialise fluent cal- 
culus descriptions, and can also be applied to “ordinary” logic programs, where 
the additional precision of the regular types should pay off in terms of improved 
specialisation. In the future we hope to produce a full-fledged implementation 
to test these claims. 
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A Completeness of Partial Deduction 

Definition 10. A Petri net U is a tuple {S,T, F, Mq) consisting of a finite set 
of places S, a finite set of transitions T with S' n T = 0 and a ftw relation 
F which is a function from (S x T) U (T x S) to IN. A marking m for n is a 
mapping S N. Mg is a marking called initial. 

A transition t G T is enabled in a marking M iff \/s G S : M{s) > 
F{s,t). An enabled transition can he fired, resulting in a new marking M' de- 
fined by Vs : M'{s) = M{s) — F{s,t) F{t,s). We will denote this by M[t)M' . 
By M[ti, . . . ,tk)M' we denote the fact that for some intermediate markings 
Ml, ... , Mfc_i we have M[ti)Mi, ..., Mk-i[tk)M' . 
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We define the reachability tree RT{II) inductively as follows: Let Mg be the 
label of the root node. For every node n of RT{II) labelled by some marking 
M and for every transition t which is enabled in M , add a node n' labelled M' 
such that M[t)M' and add an arc from n to n' labelled t. The set of all labels of 
RT{n) is called the reachability set of II, denoted RS{II). 

For convenience, we denote M > M' iff M{s) > M'{s) for all places s G S. 
We also introduce pseudo-markings, which are functions from S to INU{w} where 
we also define Vn G IN : w > n and uj-\-n = co — n = uj-\-uj = uj. Using this we 
also extend the notation Mk-i[ti , . . . , tk)M' for such markings. 

Many interesting properties of Petri nets can be investigated using the so- 
called Karp-Miller tree resulting of the following algorithm®, first defined in 
[12]. The Karp-Miller tree is a finite abstraction of the set of reachable markings 
RS{n) with which we can decide whether it is possible to “cover” some arbitrary 
marking M' (i.e., 3M” G RT{II) \ M” > M') simply by checking whether a 
node in the tree covers M' . 

Algorithm A.l {Karp-Miller-Tree ) 

Input: a Petri net II = {S, T, F, Mo) 

Output: a tree KM {II) of nodes labelled by pseudo-markings 
Initialisation: set U := {node{r, Mq)} of unprocessed nodes 
while U fith 

select some (fc, M) G U ; 

if there is no ancestor node (fei. Mi) of {k, M) with M = Mi then 
M2 = M; 

for all ancestors {ki, Mi) of {k, M) such that Mi < M do 

for all places p G S such that Mi{p) < M{p) do M2(p) = u>\ 

M ~ M2; 

for every transition t such that M[t)M' do 
create node {k',M'); 

create arc labelled t from (k,M) to {k',M')\ 

U := f/U (fc',M'); 

We will now formally prove that the algorithm 4.1 with the instantiation of 
section 4.2 can be used to decide coverability problems. For this we need to 
establish a link between pseudo-markings in the Karp-Miller tree and abstract 
conjunctions produced by partial deduction. 

Let S be some propositional iFC domain. Let Fs = {/i, •■•,/«} be the 
fluents and As = {a\, . . . ,am} the actions defined in S. We define \t,f\ as 
the number of occurrences of / G Fs in the ground term t. According to [13], 
the Petri net {S, T, F, Mq) corresponding to a propositional IFC domain S is 
given by associating an unique place S{f) G S to each / G Fs- Every clause 
action(C,a,£) in S with a G As is associated a transition T(a) G T. The flow 
relation is defined by E(r(a), S'(/)) = |C,/| and F{S{f),T{a)) = \S,f\ for every 
/ G Fs and a G As- Let As be the RULE domain (AQ, 7 , ACl) where every 
abstract conjunction C G AQ is of the form (reachable (u, u), iL, i?) where 
u = V/j o . . . o Vf„, u are terms of sort St and for all variables Uf G Vars{u), 
where / G Fs, tf{U) G H and for all Vf G Vars{v), where / G Fs, tf{V) G H. 



The algorithm presented here differs slightly from the original. 
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R consists of the predicates (t/) for each fluent / G Fs as defined in example 5 
for (t/J. Then, we define the pseudo-marking for each / G F^'- 
Jw if X G Vars{u) Atf{X) G FI 
\ I u, /I otherwise 

Accordingly, the initial marking corresponding to some Stinit is given by 
(reachable ,Vf^ o . . . o Vf^) , {tf^ {Vf^ ) A . . . A t/„ (V/„ )}, R)^ 

Additionally, we associate with every pseudo-marking M and RUL program R 
as defined above an abstract conjunction = (reachable (u,u), H, R) s.t. for 
every fluent / G Fs, the term u contains / exactly times if M{S{f)) yf 

u>. For every f G Fs with = uj, u contains a variable X and H a type 

declaration tf{X), and v = Vf^o . . .o Vf^ with tf.{VfJ G H for all 1 < i < n. 

To prove that the tree generated by our PD algorithm is isomorphic to the 
Karp-Miller tree, we use the following propositions establishing links between 
the algorithms 4.2 and A.l. 

Lemma 1. Let Li, L 2 be some nodes of the tree A which is labelled by abstract 
conjunctions of As- Let Ci = (reachable = label(Li) and C 2 = 
(reachable (M 2 ,f),T 2 ,i?) = label{L 2 ). Then Ci =rule C 2 iff = C' 2 '^. 

Proof. This follows using the mappings and X between markings and abstract 
conjunctions as defined above and the fact that (C'^)“ =rule C for markings C = 
(reachable ( m,u) , T, A): from the definition, Ci =rule C2 iff for all fluents / holds 
either 1. the number of / in ui and U 2 must be equal, or 2. there are variables X in 
Ml and Y in M 2 s.t. tf{X) G T\ and tf{Y) G T 2 . □ 

Lemma 2. Let L be some node of the tree A which is labelled by abstract con- 
junctions of As- LetC = (reachable (u,u),T,i?) = label(L) andCo,Ci, . . . ,Cn 
is the sequence of labels of the ancestors of L in X where Cq is the label of the 
root node. whistle{L,X) = T iff there is some L^ labelled Ck, 0 < k < n, with 
Ck^ < 

Proof. According to the definition, whistle returns T iff there is some ancestor Lk of L 
labelled Ck s.t. Ck ^eC. Km does not contain a variable of type tf for fluent / G Fs 
and Ck C, then by case 5 of the definition of <e follows Cfc'^(S(/)) < C'^(S(/)). 
Otherwise, by case 1 follows Ck^{S{f)) < C^{S{f)) if Ck contains a variable of type 
tf as well, or by case 2, Ck^{S{f)) < C^{S{f)) if Ck contains any number of copies 
of /. Note that due to the use of nmsg a label C' in A may never contain both, 
copies of / and a variable of type tf. Now, let Ck = (reachable (ma: ,Vk) ,Tk, R) be an 
abstract conjunction in Ae and Ck^{S{f)) < C^{S{f)) for all fluents /. If Ck contains 
a variable of type tf, case 1 of applies iff C contains an appropriate variable, 
i.e. iff C'^(5'(/)) = u). Otherwise, if Ck contains copies of / then case 2 applies iff 
C^(S{f)) = u> and case 5 applies iff Ck'^{S{f)) < C^{S{f)) / w. □ 

Lemma 3. Let L be some node of the tree X which is labelled by abstract con- 
junctions of As- Let C = (reachable (u,v),T, R) = label{L) and {Ci , . . . , Cn} 
is the sequence of labels of ancestors of L in X s.t. Ci <e C for all 1 < i < n. 
Let T consist of all pairs ft, R) s.t. t is a predicate in R. C = abstract{L, A) iff 
C'^ = M' and M' is defined as follows: if for some fient f there exists an an- 
cestor Ck of C in X s.t. Ck^ < C^ and Ck^{f) < C^{f), M'{f) = uj, otherwise 
M'{f) = C>^{f). 
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Proof. Note that T is a finite set s.t. for any two (_R, ii), (_R, t 2 ) & T , TR{ti)r]T[i{t 2 ) = 0. 
Furthermore, every rij(t) with {R, t) £T consists only of terms constructed by combin- 
ing copies of one particular fluent / G Fe using o. Hence, from the definition of abstract 
and nmsgr follows that C' contains a variable of type t/ iff there is some ancestor Lk of 
L labelled Ck s.t. Ck^EC and Ck^{f) < C^{f): on one hand, condition 2 in definition 9 
ensures that C and Ck are both instances of C' = (reachable (u' ,u) , T', _R). This can 
only be the case if Ck^{f) < C"^{f) and C^{f) < C'^{f) and hence, u' must contain 
a variable of type tf representing lo. Furthermore, from definition of nmsgr, a fluent 
/ must not occur in u' if u' contains a variable of type tf. On the other hand, from 
definition 9 follows, that u' must not contain a variable of type t/ if Ck^{f) = C^{f) 
for all ancestors with label Ck and Ck'^ < C^ . In this case, since C <e C , the same 
number of copies of fluent / occurs in u' as in u. □ 

Lemma 4 . Let Li, L2 be some nodes of the tree A which is labelled by abstract 
conjunctions of As . Let C\ = (reachable (ui ,u) , Ti, i?) = label (Li) and 
C2 = (reachable (M2,w),T2,i?) = label{L2). C2 G partition{ares{aunf{Li))) iff 
there is an action A s.t. Ci^[T{A))C2^ . 

Proof. The procedures aresQ and aunfi) can be simplified, since a variable may never 
have two or more types, conjunctions of types do not have to be computed, aresi) and 
aunfO unfold and ensure type of variables, only. According to the used unfolding rule 
an atom reachable (ui ,u) is unfolded s.t. every occuring predicate is unfolded once, 
i.e. into the subgoals action(C,M,T) where C, A, £ are ground and reachable (ui ,v) 
where u'l =aci V oC and u'l =aci Vo£. According to the ACl unification, ifui =aci Vo 
C either \C, f\ < |mi, /| or there is a variable of type t/ in ui. Consequently, mi =aci V oC 
iff T[A) is enabled in CA . Furthermore, if ui does not contain a variable of type tf, it 
holds |m'i, /I = |mi, /I — \C, f\ -|- \£, f\. Otherwise, the codomain of any mgeu for mi and 
V oC must contain a variable X s.t. tf{X). Let T{ be the set of such type declarations. 
Then, with C[ — (reachable (ti'i ,u) , T(, i?), it follows CA[T{A))C['^ . However, Uj 
may contain copies of a fluent / even if there is a variable X in uj with tf{X) G T. 
Using the partition function with nmsgr, U2 is defined as u'l where such additional 
copies are removed. By this it is ensured that for every marking M with Ci’^[T{A))M , 
=rule C 2 . □ 

Proof, (theorem 1) Per definition U = {node{r, Mq)} where Mq = Now, we show 
the correspondence between each step in algorithm A.l and algorithm 4.1. First, both 
algorithms terminate if no unprocessed nodes remain. Second, in algorithm 4.1 a se- 
lected node L is marked processed if covered{L, X) is true. Let (k,M) be the selected 
node by algorithm A.l with M = label (L)'^ . According to lemma 1, covered{L,X) 
iff there is an ancestor node {k\,Mf) with M = Mi. In this case (k,M) is marked 
processed by algorithm A.l (i.e. removed from the list of unprocessed nodes). Third, 
algorithm 4.1 calls abstract{L, A) if whistle{L, A) = T. Using lemma 2 whistle{L, A) = T 
iff there is some ancestor Lk of L s.t. label(Lk)^ < label{L)^. In algorithm A.l, ab- 
straction is performed for every ancestor (ki,Mi) of (k,M) with Mi < M. Since 
the case Mi = M and label (Lk) =rule label (L), respectively, has already been 
checked, it remains to be shown, that C' = abstract{L, A) iff C"^ = M' and M' 
is defined as follows: if for some fluent / there exists an ancestor Lk of L in A 
s.t. label(Lk)'^ < label{L)‘^ and label(Lk)^ (f) < label(L)'^ (f) , M{f) = oj, otherwise 
M{f) — label{L)^{f). This has been shown in lemma 3. Finally, from lemma 4 follows 
that C 2 G partition{ares{aunf{Li))) iff there is an action A s.t. Ci'^[T(A))C' 2 ^. □ 




A Kripkean Semantics for Dynamic Logic 
Programming 



Jan Sefranek 

Institute of Informatics, Comenius University 
811 03 Bratislava, Slovakia 
e-mail: sefranek@fmph.uniba.sk 

Keywords: knowledge representation and reasoning, nonmonotonic reason- 
ing, knowledge evolution, updates, dynamic logic programming, stable model, 
Kripke structure, dynamic Kripke structure 



Abstract. The main goal of the paper is to propose a tool for a semantic 
specification of program updates (in the context of dynamic logic pro- 
gramming paradigm). A notion of Kripke structure ICp associated with 
a generalized logic program P is introduced. It is shown that some paths 
in Alp specify stable models of P and vice versa, to each stable model of 
P corresponds a path in Alp. An operation on Kripke structures is de- 
fined: for Kripke structures Alp and Alp associated with P (the original 
program) and U (the updating program), respectively, a Kripke struc- 
ture Alp®p is constructed. Alp®p specifies (in a reasonable sense) a set 
of updates of P by f/. There is a variety of possibilities for a selection of 
an updated program. 



1 Introduction 

Knowledge evolution is a problem of crucial importance from the non-monotonic 
reasoning point of view. In fact, the non-monotony of reasoning is only a symp- 
tom of the evolution of knowledge.^ 

A formalization of some essential features of knowledge evolution was pro- 
posed recently in [3], see also the predecessors [14,16,2,10,11]. Knowledge bases 
(KB) are represented in [3] by generalized logic programs which allow default 
negation also in heads of the rules. As a consequence, both insertions and dele- 
tions may be specified by the rules of a program. The basic situation is as follows. 
A program P (the initial program) is given. P is updated by another program 
U (the updating program) . A new program P(BU (the updated program) is the 
result of the update. This situation is generalized in [3] to sequences of program 
updates P © C/i 0 • • • 0 [/„. The paradigm of dynamic logic programming pro- 
vides an appropriate tool for a representation of dynamically changing knowledge 
(dynamic knowledge bases). 

^ “. . . non-monotonic behaviour ... is a symptom, rather than the essence of non- 
standard inference” according to [20]. 



M. Parigot and A. Voronkov (Eds.): LPAR 2000, LNAI 1955, pp. 469-486, 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 




470 



Jan Sefranek 



The approach of [3] is based on this basic decision: an update KB' of one 
knowledge base KB by another knowledge base U should not just depend on 
the semantics of the knowledge bases KB and U but it should also depend 
on their syntax (the dependencies among literals are encoded in the syntax). 
The decision is implemented via a syntactic transformation. First, the set of 
propositional letters is extended. For each propositional letter a quintuple of 
new propositional letters is introduced. Second, the updated program P (B U 
contains for each original clause from P and U a modified clause in the extended 
language. P (B U also contains for each original propositional letter six new 
clauses. 

The main goal of this paper is to investigate semantic foundations of dynamic 
logic programming paradigm. For each generalized logic program P an associated 
Kripke structure ICp is defined. Dependencies among literals are encoded in 
the accessibility relation of the Kripke structure. We can specify updated logic 
programs using a new Kripke structure ICp^u- I^Peu is the result of an operation 
on Kripke structures ICp and K-jj, associated with an original program P and an 
updating program U, respectively. There is no need for an extended language 
and for some new types of clauses when the updated programs are created. 

Updated programs are not specified by the operation in a unique way. It 
is not a drawback, it is a basic general property of updates. In this paper we 
propose some simple, “cautious” approaches to the updated program selection. 
In a next paper we investigate the problem more thoroughly. The approach of 
[3] will be discussed from the viewpoint of possible-world semantics in a more 
detail in the forthcoming paper, too. The main goals of this paper are: 

— the introduction of the Kripkean semantics, 

— a demonstration that the semantics is useful for stable models identification 
(computation), 

— and that there is an operation on Kripke structures which can be used as a 
basis for a specification of updates of generalized logic programs. 

The paper is structured as follows. The problem is introduced, motivated, 
and the preliminary technicalities are sketched in the Sections 2-4. The kernel 
of the paper: Section 5 is devoted to Kripke structures associated with given gen- 
eralized logic programs. It is proved that stable models are encoded in Kripke 
structures (a method of stable models computation is implicit in this encod- 
ing). A construction of the Kripke structure ICp^u is introduced in Section 6. 
The construction is defined over given Kripke structures K-jj and ICp associated 
with programs U and P, respectively. Finally, /Cp®£/ is presented as a tool for 
a semantic specification of an update of P by C/ in Section 7 . Some results 
concerning the correctness of the specification are proved. 

2 Interpretation Updates and Dynamic Logic Programs 

The so called interpretation update approach emphasizes the role of a semantics 
in updating: A KB' is considered to be an update of KB by U if the set of 
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models of KB' coincides with the set of updated models of KB. We may express 
it as Mod(KB') = Update jj {Mod (KB)), where Mod{X) is the set of (relevant)^ 
models of X and Updateu{M) is an update of a set M of models. The update 
is determined by the program U , more precisely by a set of (relevant) models of 

U. 

The goal (and a strength) of the interpretation update is an abstraction from 
the superficial syntactic features when specifying updates. Unfortunately, it is 
impossible to respect dependencies among literals, to account for justifications, 
using the interpretation update (and using the traditional AGM-postulates, [1,8], 
too, see [21]). This is the reason why the interpretation update is refused in [10], 
and then also in [3]. The fact that Updateu{KB) should not just depend on the 
interpretations of KB and U is illustrated by a simple example: 

Example 1 ([3]) Let P be a program: innocent ^ not found -guilty . 

Consider the stable model semantics [9] as the representation of the program 
meaning. The meaning of P is Mod{P) = {{innocent}}, the only stable model 
of P is S' = {innocent} . 

If P is updated by P = {found-guilty ^}, then according to the interpreta- 
tion update approach we should insert found -guilty into S, i.e. 

Update {Mod{P)) = {{innocent, found -guilty}}. 

Of course, {innocent, found -guilty} is not the intended semantic characteri- 
zation of the update of P by P. □ 

Therefore, it is decided to base the updated program P 0 P on a syntactic 
transformation, see [3]. 

3 Motivation 

Our next goal is to propose a new semantics of a generalized logic program. An 
important feature of the semantics should be an ability to handle and to record 
the dependencies among literals, the justifications. 

Example 2 (Continuation of the Example 1) In a sense, innocent is justi- 
fied (in P) by not found -guilty . This justification is uprooted by the updating 
program P. It seems that dependencies, justifications, arguments are important 
from the semantic point of view. We propose a Kripkean semantics in order 
to provide a semantic characterization of the dependencies, justifications, argu- 
ments. The justifications are represented (encoded) by the accessibility relation 
(between interpretations). 

The graphs GP and GU of the Figure 1 visualize the relevant parts of the 
Kripke structures associated with programs P and P, respectively. The nodes of 
the graphs (the possible worlds) represent (partial) interpretations. An accessi- 
bility relation is defined on the interpretations as follows. A partial interpretation 

^ For example, the relevant models may be the stable models. 
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M is accessible from another partial interpretation M' , if the body of a rule of 
the given program is satisfied in M' and both the body and the head of the rule 
are satisfied in M {M is justified by M'). 

The graph GC provides a semantic characterization of the update of P by 
[/. It is constructed over the graph GU. Some parts of the graph GP may be - 
in general - connected to GU , but in our example it is impossible: no edge of 
GP can be appended to ul (no edge of GP is compatible with found -guilty) . 

Therefore, GU = GC and the stable model of the updated program should 
be the same as the stable model of the updating program. Of course, innocent 
is not true in GG . □ 



n 1 J T/^n n m 1 1 H-t r 1 ^ 


iifl— II 


U..L i iUU.liU._^U.llLj J * 


UU H 



GU = GC 



1 Jn/^-1- m iilpTr 1 ^ 


T^l 1 m 11 IPt r 1 


^^4 -L ^ J.Xv4 L J. v4 U. J-Xm. U. XX ^ XXXXXGlG^XXu j 


pU — iXXUl XUU.XXLl_^U.XXL^ j 



GP 

Fig. 1. The node pO represents the interpretation {not found -guilty}, pi = 
{not found-guilty, innocent} , uO = 0, nl = {found -guilty}. The edges (pO,pl) and 
(«0, m1) represent the dependencies among literals (the second member of a pair is 
justified by the first member). The update is determined by U, therefore the graph 
associated with the update [GC) is constructed over the graph associated with the 
program U [GU). Some parts of the graph associated with P [GP) may be - in gen- 
eral - connected to GU, but in our case it is impossible: no edge of GP can be put 
before uO, similarly, no edge can be appended to ul (no edge of GP is compatible with 
found -guilty) . 



The example shows that there is a possibility of an adequate semantic treat- 
ment of dependencies among literals. Moreover, the semantics enables to identify 
and to compute stable models and it enables also to connect relevant parts of one 
Kripke structure to another. This “connectivity” serves as a basis for updates 
specification in terms of a purely semantic construction. 

We are going to the details. 



4 Preliminaries 

Consider a finite set of propositional symbols £. The set £not is defined as 
£ U {not A : A G £}. A member of £not is called literal. We will denote the set 
{not A: A &£} hy V (defaults, assumptions). 
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A generalized clause is a formula c of the form L <— Li, . . . , L^, where L, Li 
are literals. We will denote L also by head{c) and the conjunction Li, . . . , Lk by 
body{c). A set of generalized clauses is called a generalized logic program. In the 
following, whenever we use “clause” or “program” we mean “generalized clause” 
and “generalized logic program”, respectively. 

For each A G C, A and not A are called confkting literals . A set of literals is 
consistent, if it does not contain a pair of conflicting literals. Partial interpreta- 
tion (of a language Cnot) is a consistent subset of Cnot- Total interpretation is a 
partial interpretation X such that for each A G C either A G X or not A G X. We 
are interested in sets of propositional symbols determined by programs. By 
we denote the set of all propositional symbols used in the program P. A partial 
interpretation of a program P is a consistent subset of The set of all par- 
tial interpretations of P we denote by Intp. Each inconsistent set of literals we 
denote by wp . 

A literal L is satisfied in a partial interpretation X ii L G X. A clause L <— 
Li, . . . , Lk is satisfied in a partial interpretation I if A is satisfied in X whenever 
each Li is satisfied in X. A partial interpretation I is a model of a program P 
if each clause c G P is satisfied in X. Notice that propositional generalized logic 
programs can be treated as Horn theories: each literal not A can be considered 
as a new propositional symbol (if not A G C it has to be renamed). The least 
model of the Horn theory H we denote by Least{H). 

Definition 3 (Stable model, [3]) Let P be a generalized logic program and 
S be an interpretation of P. It is said that S' is a stable model of P iff S = 
Least{P U S“), where S~ = {not A : not A G S}. □ 

We will visualize Kripke structures as graphs. If e is an edge (wi, Wi+i) of a graph 
G, the node Wi is called the source of e and Wi+i the target of e. A sequence cr 
of edges (wq, wi), {wi,W 2 ), ■ ■ ■ , (w„_i, w„) is called a path, wg we denote also by 
begin{a) and by end (a). 

5 Kripke Structure Associated with a Program 

A notion of Kripke structure associated with a program is defined in this Section. 
Moreover, it is shown that some distinguished paths in the defined structure 
represent stable models of logic programs and, conversely, for each stable model 
there is a distinguished path in the Kripke structure. 

The basic idea of our approach was illustrated in the Example 2. A more 
complicated example is presented below. 

Example 4 ([17]) Let P be 

p ^ not q, r 
q ^ not p 
r ^ not s 
s ^ not p. 




474 



Jan Sefranek 



A fragment of the /Cp is depicted in the Figure 2. The nodes are partial inter- 
pretations. We distinguish two kinds of edges - pi, and p 2 - 

Consider (wl, w2), an example of an pi-edge, where wl = {not p} and W 2 = 
{not p, q, s}. There are two clauses with the body satisfied in wl. Consequences 
of these clauses are appended to wl, the possible world w2 is the result of this 
operation. 

Finally, a motivation for p 2 - There is no total interpretation u such that 
(w 2 ,u) G pi, i.e. no clause is applicable to the partial interpretation W 2 = 
{not p,q,s} (except of q ^ not p and s ^ not p, but they do not change 
the possible world w2). It means, that P does not enable to justify the truth 
of r (if we suppose w2). Therefore, we may assume by default that r is not 
true (w.r.t. P and w2). The p 2 ~edge from w2 to w3 represents a completion of 
{not p, q, s} by not r. 

□ 



wl={not p} w4={r, not q} 

1 

w2={not p, q, s} w5={r, not q, p} 

2 



w6={r, not q, p, not s}- 
w3={not p, q, s, not r} 



w7={not s, not q} 



w8= 



{not s, not q, r} 



Fig. 2. A fragment of Alp. An edge labeled by i is a pi-edge. 



Let us summarize: A pi-edge corresponds to an application of a clause to 
a partial interpretation. A clause c is applicable to a partial interpretation w 
if w 1= body{c). In general, for each c € P: if w is a model of body{c), then 
head{c) G w' for some w' such that w C w' and {w,w') G p\. Intuitively, {w,w') 
represents a step in a computation bottom-up. 

If an atom A is not computed (bottom-up), we assume that not A holds. 
The relation p 2 represents a completion (by default negations) of partial inter- 
pretations that cannot be changed by some clauses of P. 

Now we are ready to define a Kripke structure JCp associated with P. 

Definition 5 Let P be a program. A Kripke structure 1C p associated with P is 
a pair (W,p), where: 
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— W = Intp U {wx}, W is called the set of possible worlds, Intp is the set 
of all partial interpretations of P, w± is the representative of the set of all 
inconsistent sets of literals, 

— p is a binary relation on VL x W, it is called the accessibility relation and it 
is composed of two relations: p = piU p 2 , where 

1. the accessibility relation pi contains the set of all pairs (w, w') such that 
w' = w U {head{ci) : i = 1, . . . , k}, where ci, . . . , Cfc are (not necessary 
all) clauses from P such that w |= body{ci), 

2. if w is not a total interpretation and for no u w there is an edge 
(w, u) G pi, then {w, w') G p 2 , where w' = wU {not A : A ^ w}. 



□ 



Of course, ICp may be viewed as a graph. 

Definition 6 p-path is a sequence a of edges (wq, wi), (wi, W 2 ), • ■ • j (wn-i,Wn) 
in /Cp such that each {wi,Wi+i) G p. 

We say that this cr is rooted in wo (also wo-rooted). If there is no p-edge 
(ia„, w) in /Cp such that w ^ Wn, we say that cr is terminated in (also: is 

a terminal node of /Cp). □ 

Sometimes we denote paths by the shorthand (wq, wi,W 2 , ■ ■ ■ , ru„_i, w„). Simi- 
larly, a pi-path could be defined. 

We have seen that Kripke structures are appropriate for recording justifica- 
tions (of interpretations by another interpretations). The justifications have to 
be non-circular. There are two kinds of basic assumptions - facts (with empty 
interpretation as the justification, edges to facts are 0-rooted) and default nega- 
tions (subsets of T>), called non- monotonic assumptions in TMS [6]: if there is no 
evidence against, we assume not A (where A is an atom). Therefore, the Kripke 
structure ICp associated with a program P enables to identify (and to compute) 
the stable models of P. 

Example 7 Let us return to the Example 4 (and to the Figure 2) 

There is no fact in P, hence there is no 0-rooted path in /Cp. As a conse- 
quence, relevant paths are only those rooted in some w such that ^ ^ w (G T> 
(only defaults can be assumed). There is a {not s,not g}-rooted p-path ter- 
minated in a stable model {not s,r,not q,p} and a {not p}-rooted (simi- 
larly, also a {not p,not r}-rooted) p-path terminated in another stable model 
{p, not q, not s, r}. □ 

Now we are ready to state conditions for stable models in terms of nodes and 
paths in /Cp. 

Definition 8 Let P be a program, a be an acyclic p-path {wq, wi, . . . , Wn) from 
/Cp. We say that cr is correctly rooted, if 

— either wq = 0 

— or 0 Wo C T>. □ 
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Theorem 9 Let P he a program, Kp he the Kripke structure associated with P, 
a = (wo,wi), (wi,W 2 ), • ■ • , (wn-i,Wn) hc an acyclic p-path in K-p terminated in 
a total interpretation Wn- 

If a is correctly rooted, then Wn is a stable model of P. 

Proof Sketch: 

Let P be a generalized logic program. Let P' be P U {not A not A G w~}. 
Consider P' as a definite program (each literal not A is a new propositional 
letter) with integrity constraints of the form <— A, not A for each propositional 
symbol A G . 

According to [3], see also the Definition 3: Wn is a stable model of P iff 
Wn = Least{P U w ~ ), where w~ = {not A : not A G w„}. 

We assume that a = (wq,wi, . . . ,Wn-i,Wn) is correctly rooted and is 
a total interpretation. If (wn-i,Wn) G pi it is straightforward to show that 
Wn = Least {P U wf). Otherwise, notice that w* = wq U (w„ \ Wn-i) C wf and 
(w* , (wi Uw*), . . . , (wn - 1 U w* )) is a correctly rooted acyclic pi-path terminated 
in Wn- It means, Least(P') = Wn- Clearly, integrity constrains are satisfied in 
Wn- Finally, Least(P') = Least{P LI w~)- LI 

Theorem 10 Let S he a stable model of a generalized logic program P and ICp 
be a Kripke structure associated with P. 

There is a correctly rooted and acyclic p-path a = {wq, - - - ,Wn, S) in ICp 
terminated in S- 

Proof Sketch: 

We again use S = Least {P U S'"). We can construct a correctly rooted (in S~) 
p-path terminated in S both if S" = 0 and if S" yf 0. □ 

Fact 11 Let P, ICp be as in the Theorem 10- If (T>,w±) ^ pi, then V is the 
only stable model of P- 

Proof: First, P is a stable model of P: Let P' yf 0 be a proper subset of P. 
Then (P' , P) is a correctly rooted p-path terminated in the total interpretation 

P. 

Let (wq, • • • , Wn) be a correctly rooted p-path terminated in a total interpre- 
tation Wn yf P- Hence, A G Wn for at least one atom A- Of course, there is an 
atom A, a rule A ^ Li, . . . , Lk, and a correctly rooted p-path {uq, . . . , Um) such 
that Um = Wn and uq ^ Pi, ... , Pfc, where uq C P. Therefore, P )= Pi, . . . , Pfe 
and (V,w±) G pi. It means, P is the only stable model of P. □ 

Fact 12 Let P and ICp he as in the Theorem 10- If a = {wo,wi, - - - ,Wn) is a 
p-path in ICp, terminated in Wn yf w±, then Wn is a model of P- 

If M is a model of P, then there is a p-path in K-p terminated in M- 

Proof: If c G P and Wi ^ body{c) for some Wi, then head{c) G Wi+\- 

M is not an isolated node: If M = P, we can use the edge (P',P) from the 
proof of the Fact II. If M yf P and w = M \ T>, then there is a path ct in /Cp 
such that begin{a) = w and end{a) = M- 
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M is a terminal node: (M, w±) ^ pi, otherwise there is a clause c G P which 
is not true in M. □ 

6 Updated Kripke Structures 

We are going to construct a Kripke structure ICp^u over two Kripke structures, 
over /Cp (let us recall that it specifies the semantics of an original program P) 
and over JCu (specifying the semantics of an updating program U). We intend 
to use the structure as a semantic specification of an updated program. 

First we motivate definitions of some notions needed for the construction of 
/Cp®p. The concept called continuation node is the most important one. 

We assume that the nodes of ICp^u are the (partial) interpretations of the 
language 

Example 13 ([3]) Let P = {s ^ not t;a ^ t;t be given. We assume 
that P is updated hy U = {not t ^ p-,p ^}. The relevant parts of /Cp and 
K-u are illustrated on the Figure 3. We construct /Cp®c/ over /Cp, the update 
is dominated by /Cp. If P can consistently add something to U, it should be 
accepted. Hence, some paths from /Cp may be connected to /Cp. 

Consider possible worlds from /Cp: wl = 0, w2 = {/}, w3 = {t,a}, w4 = 
{t,a,not s}, w5 = {not t}, w6 = {not /, s}. Similarly, the relevant possible 
worlds from /Cp are: u\ = 0, m2 = {p}, m3 = {p, not t}. 

An important decision should be made: Which paths of /Cp may be connected 
to which nodes of /Cp? 

Above all, the nodes of /Cp which terminate pi-paths are the reasonable 
continuation nodes. If we connect a path of /Cp to an intermediate node of a 
pi-path of /Cp, then some information of U could be lost. On the other hand, 
the acceptance of default assumptions should be postponed until all pi-paths of 
/Cp®p are constructed. 

Let us summarize, we have a first example of continuation nodes - the ter- 
minal nodes of pi-paths. 

Now we proceed to the connection of relevant paths to the continuation 
nodes. A path a of 1C p may be connected to a continuation node w of /Cp, if 
hegin{a) is compatible - in a sense - with w. 

In our simple example, the only relevant continuation node is m3. If we con- 
nect the path (wl, w2, w3, w4) to the continuation node m3 = {p, not /}, the first 
edge (wI,m;2) leads to m;® - the node w2 = {/} contradicts the node m3. 

On the contrary, the path (w5, w6) may be connected successfully to the node 
M3. The node wf> is compatible with the node m3: wf> C m3, it means that every 
literal satisfied in m3 is satisfied in w5, too. Moreover, w6 and m3 are consistent. 

Therefore, the path of /Cp®p could be <t = (ul, u2, u3, w, w'}, where w = 
m3 U w6 (notice that m3 = m3 U w5) and w' = w U {not aj. The edge (ms, w) we 
obtain by connecting (w 5 ,wq) to m3. The last edge, {w,w') is a p 2 -edge. This 
completion is made w.r.t. the language Cno^ ■ The relevant part of /Cp®p is on 
the Figure 3. 
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The path a is correctly rooted and it is terminated by the total interpretation 
w' . We can consider a correctly rooted path from /Cp®£/ which terminates in a 
total interpretation to be a basis for a semantic specification of updated programs 
P®U. 

By the way, w' = {p, not t, s, not a\ is the only stable model (modulo irrele- 
vant literals) of the updated program P 0 {7, as defined in [3]. □ 



ul 



■u2 >-u3 >-w={p, not t, s} 

2 

w’={p, not, s, not a} 



Updated 




U 




Fig. 3. The relevant parts of ICp and K-u from the Example 13. The edges are labeled 
as in the Figure 2. The edge (w5,w6) from Afp is connected to the path (m1,m2,m 3) 
from /Cp and the path is completed by the edge (w,w'). The resulting path from 
tCp<su is (m1,m2), («2,«3), (u3,w), (w,w'), where w = u3Uw6 and w' = wU{not a} = 
{p, not t, s, not o}. 



The example motivates our first decision about continuation nodes: Each ter- 
minal node of a pi-path from K-jj is a continuation node. Let w be a continuation 
node. We may connect a path cr from ICp to w, if all formulae satisfied in w are 
satisfied also in begin{a) and if a consistency criterion is satisfied. The node w 
can be considered as a justification of the connected path. 

Now we extend our idea of continuation nodes: It is acceptable to connect 
some paths of /Cp before some nodes of /Cp: Possible continuation nodes are also 
Wo = 0 and 0 yf wq C T>, if there is in /Cp no pi-path rooted in wg- 
We are now ready to present a series of definitions. 
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Definition 14 Let K-jj be a Kripke structure associated with an update program 

U. 

Continuation nodes of K-jj are 

(i) all nodes terminated a pi-path 

(ii) 0 or w such that 0 yf w C if they are not the source of a pi-edge. 

□ 



Definition 15 The path cr = {wq, wi, . . . , Wn) from Kp may be connected to a 
node w from JCu iff wq C w and w U is consistent. □ 



Definition 16 Let cr = {uq, . . Un) be a p-path and w be a node. 

Then connect cr to tc is a partial operation as follows: if a may be connected 
to w, then {w,u\ U w), . . . , (m„_i U U w) is a p-path. If for some z > 1 
holds that wUui is inconsistent, it is replaced by wp and the rest of the path is 
removed. □ 



Definition 17 Let K.p and ICp be the Kripke structures associated with non- 
empty programs P and U , respectively. 

We construct /Cp®£/ as follows: 

1. each pi-edge from ICp is an pi-edge of 

2. for each continuation node w from K-u and each pi-path a = (ug, zti, . . . , u„) 
from /Cp: connect cr to z«, 

3. introduce new p 2 -edges whenever it is possible. 

□ 

7 Updated Programs Specification 

In this Section we present some useful properties of K.p<pu and then we sketch 
some simple methods of updated programs construction. 

7.1 Good Worlds and the Stability Condition 

First, we introduce a definition in order to simplify the description of /Cp^p. 
By analogy to the results of Section 5, correctly rooted p-paths terminated in a 
total interpretation from JCp^u deserve a special interest. We will use them as 
a basis for a specification of P 0 C/. 

Definition 18 (Good worlds) Let a Kripke structure /Cp®p be given. Let cr 
be a correctly rooted p-path from /Cp®p terminated in a total interpretation w. 
We say that cr is a distinguished p-path and w is a good world. □ 
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Now it can be said that we will use distinguished p-paths and good worlds as a 
tool for a specification of P 0 C/. We accept a cautious strategy in this paper: for 
each distinguished p-path a (and the corresponding good world w) from ICpt^u 
we are aiming at specifying a program U such that w is the only stable model 
of n. It means, we consider /Cp®[/ as the specification of a variety of updates. 

Our next goal is to define a criterion of a reasonable update of P by U. 
Updated programs specified by ICpi^u should satisfy the criterion. The criterion 
is called the stability condition. It provides a natural characterization of what 
to accept (or what to reject) from the original program P, if a model M of the 
updating program U is given. The model M represents an (alternative) belief 
set dominating the update. 

The results of this Subsection - Fact 23, Theorem 24, and Consequence 26 
show that 

— stability condition and good worlds agree, in a sense, 

— both concepts (stability condition, good worlds) enable to specify updated 

programs compatible with U, 

— good worlds are stable models of the updated programs. 

A crucial issue is what to accept and what to reject from the original program 
P, if the updating program U is given. Next example motivates why sometimes 
the defaults from U override facts from P. 

Example 19 Let P be {a 6 ^ a} and U be {not b ^ c;c ^ not a;a ^ 
not c}. 

U specifies an intuitively acceptable update of P: a new propositional symbol 
c is introduced, the meaning of c is the opposite to the meaning of a, and c is 
a condition for not b (while a - according to P ~ is a condition for b). Notice 
that no path of ICp is rooted in 0 and the stable models of U are based on some 
default assumptions. 

The relevant parts of /Cp, /C[/, and ICp^u are illustrated on the Figure 4. The 
continuation nodes of /Cp are w2 and w4. The p-path (uO, ul, u2) from /Cp may 
not be connected to w2, the edge (uO, ul) leads immediately to the wp (w2 U ul 
is not consistent). If we connect the path to the node w4 we get w = {not c, a, b} 
(a redundant cycle (w4,r/;4) = (w4, w4 U ul) is removed). 

Let us summarize - we have two p-paths terminated in a total interpretation 
in /Cp®p: {w3,w4,w) and (w0,wl,w2). The total interpretation w respects the 
facts from P, but the total interpretation w2 does not respect them ~ it prefers 
the default assumptions of U. 

Our attitude here is a cautious one: we allow both interpretations to deter- 
mine an updated program P 0 P. □ 

The example 19 shows that sometimes it is justified to reject some facts of 
P. Let us suppose that a literal L holds in a stable model S of the updating 
program U and L' <— is a fact of the original program P, where L and L' are 
conflicting literals. The fact is rejected, if we accept the belief set S. 
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w3 w4 w={not c, a, b} 

1 1 

^0 ^ wl w2 



w3={not c} 
w0={not a} 



— ►- w4={not c, a] 

1 1 
— ^ wl={not a, c} 



u0={}- 



■ul={a} 



u2={a, b} 



Updated 



U 



w5={not c, a, not b} 

■ w2={not a, c, not b} 



P 



Fig. 4. A fragment of graphs from the Example 19. The relevant parts of ICp^u are 
the same as of tCu with the only exception - the node w = {not c, a, b} instead of w5 
and (w4, in) £ pi. 



Definition 20 Let M be an interpretation of an updating program U , and L, L' 
be conflicting literals. Let P be an original program. 

— Rejected{M) = {c G P : (3c' G U) {{head{c),head{d) are conflicting literals 
and M \= body{d)} U {(L G P : L' £ M} 

— Residue(M) = U U{P\ Rejected{M)) 

— DefauUs(M) = [not A : (Vc G Residue(M)) {head{c) = A M ^ 
bodyic))} , where A is an atom. 



□ 

Our deflnition of rejected clauses slightly differs from that of [3]. The basic 
difference is that in [3] facts from P are not rejected when they are in conflict 
with a stable model Sd Similarly, our deflnition of defaults is different: we define 
defaults with respect to the Residue(M), while in [3] they are defined w.r.t. PUP. 

Definition 21 (Stability condition) Let programs P, U be given. Let w be 
a possible world from ICpi^u- We say that w satisfies the stability condition, if 
holds 

w = Least{Residue{w) U Defaults{w)).0 

® From this point of view, the approach of [10,11] is similar to our approach. On the 
other hand, Rejected(M) may be defined in a distinct way also in our setting. A 
more detailed comparison and an analysis of some possibilities will be presented in 
the forthcoming paper. 
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Next example shows that some good worlds which do not satisfy the stability 
condition as defined in [3]"^ satisfy our Definition 21. Moreover, each good world 
satisfies the condition (see Theorem 24 below). 

Example 22 Let us recall the Example 19. One of the distinguished paths 
terminates in the good world w2 = {not a,c, not b}. Consider a modification of 
Residue{w2) and Defaults {w2). Let II C P he & consistent set of clauses such 
that (a G n. Let A be {not A : Vc G (77 U C/) (head{c) = A ^ w2 ^ 
body{c))}. Then w2 ^ Least{II U 7/ U A), because of not A ^ Least{II U 7/ U A). 
It means, the good world w2 does not satisfy the stability condition for the 
modified Residue{w2) and Defaults {w2). 

Notice that Residue{w2) as defined in [3] contains a 

According to our Definition 20: Rejected{w2) = P, Residue (w2) = U, and 
Defaults{w2) = {not a, not b}, hence Least{Residue{w2) U Defaults (w2)) = w2. 
□ 

We proceed to the results of this Subsection. The stability condition provides 
an important criterion: Each possible world w satisfying this condition respect 
the information of the updating program 7/, w is a model of U . Moreover, w 
is a stable model of Residue{w), where Residue{w) can be viewed as a natural 
updated program. 

Fact 23 Let P,U be programs. If a possible world w from satisfies the 

stability condition, then 

— w is a model of U 

— w is a stable model of Residue (w). 

Proof Sketch: It is straightforward to show that w is a model of U: w = 
Least{Residue{w) U Defaults{w)) = Least{U U (P\ Rejected{w)) U Defaults{w)). 
If not A G Defaults{w), then A^w, therefore not A G w~ , i.e. 

Least{Residue{w) U Defaults{w)) C Least{Residue{w) U w~). 

Let us suppose that not A G w~ and there is no clause c G Residue (w) 
such that head{c) = not A and w ^ hody{c). Therefore, for each clause d G 
Residue{w) holds that if head{d) = A, then w ^ hody{d) (otherwise A G w). 
Hence, it holds that 

Least{Residue{w) Uw“) C Least{Residue{w) U Defaults{w)).0 

Now we demonstrate the important role of distinguished paths and good 
worlds for updated programs specification. Good worlds and worlds satisfying 
the stability condition coincide. 

Theorem 24 Let P,U be given. Then w„ is a good world from /Cp®j/ iff Wn 
satisfies the stability condition. 



^ The term “stability condition” is not used in [3]. 
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Proof Sketch: 

We assume a correctly rooted p-path cr = {wq, w\, . . . , Wn) terminated in Wn- 
If {wn-i,Wn) G Pi, then Defaults (w„) = wg- 

Otherwise, Defaults{wn) = wq U (w„ \ Wn-i) and in both cases we have a “com- 
putation bottom-up” starting in wq and terminated in w„, i.e. 

Wn = Least{Residue{wn) U Defaults{wn))- 



4 = 

Wn = Least {Residue{wn) U Defaults{wn)) is assumed. According to the Fact 23, 
Wn is a stable model of the Residue (wn)- It means, there is a correctly rooted 
p-path a in K.B,esidue(wn) terminated in Wn (the Theorem 10). Lemma 25 shows 
that Wn is a good world also w.r.t. ICpt^u- 

Lemma 25 Let P and U be programs and w„ be a total interpretation from 
Ap®!7- 

If a = {wq, . . . ,Wn) is a correctly rooted p-path from ICpesidue(w„) which is 
terminated in Wn, then there is a correctly rooted p-path a' in /Cp®j/ which is 
terminated in Wn- 

Proof Sketch: If (wi,Wi+i) G a and there are clauses c gU and d G P such 
that Wi 1= body{c), Wi |= body{d), and head {c), head {d) G Wi+i, head(c) yf 
head(d), then there is a path (wi,w',Wi+i), where w' = Wi U {L G wi+i : 3c G 
U (head(c) = L)}. 

By repeating this construction we get a path from /Cp®£/ which is correctly 
rooted and terminated in Wn- □ 

Finally, the next straightforward consequence shows that good worlds from 
/Cp ®{7 have reasonable properties from the viewpoint of updated programs spec- 
ification. 



Consequence 26 Let P,U be programs and w be a good world oflCp^u- Then 

— w is a model of U, 

— w is a stable model of Residue (w). 

It is time to specify P (BU (using distinguished p-paths and good worlds) . 



7.2 Updated Programs 

In general, each (non-trivial) update may be realized in different ways. (More- 
over, we accept the stable-model semantics, therefore it is natural to allow more 
results of an update.) 

The most simple possibility is to consider Residue{w) as an updated program 
(for any good world w). 
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A further possible specification of an updated program: ICpt^u determines 
a set S of programs® as follows. Each distinguished p-path a determines one 
program U from the set. 

The construction of U: Let a distinguished p-path cr = {wq, . . . , rc„) be given. 
For each edge {wi,Wi+i) G pi U p 2 let Wi = {Li, . . . , L^} and Wi+i \ Wi = 
{L [, . . . , L'l.}. We put Lj ^ Li, . . . , into II for each j = 1,. . . ,k. 

The good world end{a) of cr is the (only) stable model of II: 

Fact 27 Let II he constructed from /Cp®;/ over a distinguished p-path a as 
above. 

Then the good world end{a) of a is the (only) stable model of II . 

Proof Sketch: First, end{a) is a stable model of 77: it is a good world and 
a terminal of a correctly rooted path from JCu- Second, it is the only total 
interpretation of ICn which terminates a correctly rooted p-path. □ 

77 introduced above is a member of a family of representatives of P 0 7/ in 
a sense. 

Of course, there are more sophisticated possibilities how to construct P 0 t/. 
A special attention deserves an idea of partial evaluation of P with respect to 
the continuation nodes of /Cp, see [12]. 

All presented proposals for a specification of an updated program on the 
basis of /Cp®p are cautious, they select one of the possible alternatives. Skeptical 
solutions will be discussed in a forthcoming paper. 

Remark 28 Our approach can be expressed also in terms of stable model (an- 
swer set) programming paradigm [15,13,17]. Consider a model w of U. It can be 
said that the model represents the information of U (from a point of view) . The 
model can be viewed as a basis of a constraint satisfaction process and the rules 
of P can be viewed as constraints. Some of the constraints are not applicable to 
w (w does not satisfy the constraints), they are rejected. The rest of the con- 
straints is applicable and may be added to the rules from U. The application of 
the constraints results in some modifications of w (the solutions of the constraint 
satisfaction process). 

8 Conclusions 

The approach presented in this paper shows that updates of programs may be 
specified in a purely semantic frame. The approach is very simple, it does not 
need an extension of the language and/or of the program(s). There is a variety 
of syntactic implementations of given semantic specification. In this paper some 
straightforward constructions are proposed. 

The main contributions of the paper may be summarized as follows: 

— a semantic treatment of justifications in terms of Kripke structures, 

® We may say that <S is a family of representatives for P (BU. 
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— a characterization of stable models in terms of Kripke structures, 

— a semantic (and sensitive w.r.t. justifications) characterization of generalized 
logic programs revisions. 

A forthcoming paper will be devoted to a more thorough comparison of the 
approach of [3] and of the approach presented here. Further, more sophisticated 
possibilities of P 0 C/ specification in terms of JCp^u will be investigated. Sim- 
ilarly for an extension to the case of dynamic program updates specification 
by (some priorities have to be assigned to the edges of the Kripke 

structures) . 

Also the topic of inconsistent generalized logic programs and their revisions 
(their use in dynamic logic programming) devotes an interest. 

Another open problem is a compilation of stable model computing in the 
spirit of [4], see also [5]. The off-line part of the computation provides a con- 
struction of the Kripke structure associated with the given program. The on-line 
part consists in identifying the stable models in the Kripke structure. 

Our approach uses an old idea of TMS, [6] (and a formal reconstruction of 
TMS by Elkan, [7]). Updates must respect dependencies among literals. Justifi- 
cations of believed facts are important parts of knowledge bases. Argumentation 
must not be a circular one. There are some basic assumptions of each argumen- 
tation (justification) - axioms (facts) and default assumptions. 

Last, some remarks about dynamic Kripke structures (DKS): The concept 
was introduced and studied in [18,19]. The basic idea about DKS consisted in 
some transformations of possible worlds. A possibility to modify dynamically 
the accessibility relation was proposed in [19]. Now, in the present paper the dy- 
namics is implicit in the operation on Kripke structures. Hence, a generalization 
of the DKS concept (and its applications to the study of knowledge evolution, 
of hypothetical, nonmonotonic reasoning) is a goal of our research in the future. 
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